An incident response plan is a living document backed up by policies, guidelines and procedures that are put in place to support an organization in readiness of cyber security incidents that would affect the confidentiality, availability, or integrity of their information system.
This plan serves as a guide for the CSIRT (CSIRT: Computer Security Incident Response Team) who’s in charge of security incidents once they’ve been detected by the SOC (Security Operation Center). Its goals are to put in place the human resources, the processes, the procedure and the technologies that would enable the proper handling of security incidents once they occur.
An Incident Security Response Plan is a crucial component of the wider information security strategy for an organization; It completes other security operational areas for example vulnerability management, forensic investigations and threat intelligence.
So, this plan is essential to an organization : it allows to respond as quick and as efficiently as possible to a cyber attack. And its main purpose is to limit the business losses.
And, for some organizations that offer critical services, an Incident Response Plan can help to meet law requirement, to ensure adherence to rules and regulations that apply to that particular sector.
The main element is the incidents response policy. The plan underlines the organization business processes, the risks to these processes and the resources that would support an incident response plan.
Other elements would include, categorization and prioritization of incidents, the playbooks to handle incidents by level, type, the personnel organization with their defined tasks and responsibilities, and technical procedures to be followed.
Therefore, the elements can be broken down into separate documents. For example, an organization would have a technical procedure document of how to carry out forensic investigations during a particular incident, or for example a playbook detailing how to handle a ransomware infection.
Going by the NIST publications, security incident handling is generally broken down into 7 phases :
Having an IRP in place is part of the Preparation phase. Detection and Analysis entail those controls in place to alert when an incident has taken place (SOC). Containment, Eradication and Recovery are those procedures and processes in place to revert the effects of an incident and go back to normal operating mode.
The most important thing is to ensure top management buy-in at the very beginning before the plan is written. So, this will ensure that the funding and resources will be available to implement it.
Guided by overall organizational policies and industry standards, the plan outline is written and customized to the organization’s business needs and identified risks.
The outline is then broken down into specific areas and documents that would determine the procedures to follow during an incident, tasks/responsibilities of the different team members and technologies to be put in place. Then, these separate documents would be distributed to the team members for implementation and testing.
So, it is recommended to realize response tests on a regular basis to help teams to integrate good behaviors when the cyber attack day will come.
And since an Incident Response Plan is evolving, it should be accessible to all stakeholders.
Therefore, the plan must be updated on a regular basis, depending on the company evolution, the organization or technologies changes.
So the plan should also evolve in the same pace with other areas such as risk management and new cyber threats observed that would affect the organization.