Tips For Creating A “Best Practice” Incident Response Plan

According to security researchers, 2017 was a seriously bad year for data breaches.

According to security researchers, 2017 was a seriously bad year for data breaches. In the first 9 months there were 3,800 reported breaches, exposing around 7 billion records. And there’s no signs of that pace slowing down anytime soon. That suggests for 2018, one of the best ideas you can implement for your business, is an incident response plan.

An incident response plan documents the steps a business must follow in the event of a data breach, or other type of data security threat. Depending on the type of threat, the steps can vary. But often they’ll include sections such as containment, elimination, recovery, notification, and post-incident review.

To help you craft or review your incident response plan, here’s seven best practice tips to follow:

Identify & Prioritise the data to protect

Businesses nowadays have plenty of data, but only limited resources to protect it. Therefore, it’s important to identify and understand what makes up your data before developing an incident response plan. What’s critical to business operations? What are your databases made up of? Which data contains personal information (e.g., payroll records). Answering such questions helps identify what needs protecting the most.

Easy to Implement

If a data breach occurs, your plan needs to be easy to implement. Make sure it has explicit and specific procedures to follow. Keep general directives to a minimum. The Cybersecurity Unit at the U.S. Department of Justice, suggests that procedures should, at a minimum, contain the following items:

  • Who’s in charge of / responsible for each step (e.g., containment, elimination, recovery) in the incident response plan, and how you contact them 24/7.
  • How to proceed if they’re are unreachable, who’s their backup person and how to reach them
  • What needs the greatest protection (i.e., mission-critical data and data containing personal information)
  • How to preserve data related to the breach in a forensically sound manner
  • Criteria to determine who should be notified of a data breach (e.g., affected customers, the general public)
  • When and how to notify law enforcement and cyber-incident reporting organizations

Avoid Reinventing the Wheel

You don’t need to create an incident response plan from scratch. There’s plenty of resources available that can help you.

The Incident Response Policies and Plans resources page on the Incident Response Consortium website has free guides to download. The American Institute of Certified Public Accountants (AICPA) has a free incident response plan template you can download and adapt for use in your company. Go to the AICPA website and search for “incident response plan”.

Make Sure It Aligns with Other Plans.

Some information in your incident response plan might overlap with other plans. Recovering from a data breach might also be discussed in a disaster recovery plan. It’s important to ensure the information in both plans aligns.

Review your other IT and/or company policies to make sure they align with the incident response plan. During this review, consider making sure you have policies in place that will help prevent data breaches. As an example, data breaches can be instigated by former employees. Do you have a policy that requires IT or HR staff to deprovision former employees accounts after they leave?

Test Your Plan

You don’t want to discover problems in a plan during the moments you genuinely need to use it. Just like a fire drill, consider having a periodic data breach drill. Such drills will help you to identify any required updates to the plan. These drills also give staff the chance to learn and practice the process, which increases response times in the event of an actual breach.

Review your incident response plan once a year to make sure it is up-to-date. Share any changes with the appropriate staff.

Stay Calm and Follow the Plan

An actual data breach is stressful and perhaps even frightening. If one occurs in your business, stay calm and follow your incident response plan. You created and tested this plan, let it guide you through the steps to be performed.

Stay Alert, Monitor

Once the problems caused by a data breach have been attended to, you’re likely to want to forget about the ordeal and try to get back to normal. You must resist this urge and;

  • Monitor your systems for suspicious activity. Ensure the intruder has not returned
  • Remain vigilant for new incidents
  • Have a post-incident review. Identify issues encountered when executing the incident response plan

Help Is Available If Needed

Creating and testing an incident response plan is quite a task. It’s an important and complex document. If you feel it’s a task you’d rather have help with, we can assist you to create an actionable plan in case your business becomes a data breach victim.

 

 

Posted on