[Template] Creating an Incident Response Plan

By: Blair Felter on January 21, 2020

Today’s organizations can’t afford to ignore data security. Whether it’s the threat of cyberattack, human error, or natural disaster, system downtime and data breaches can cripple a company in ways that will take them years to recover from (if they recover at all).

To combat these risks, IT professionals are working with forward-thinking CIOs and CSOs to develop comprehensive incident response plans. Far from a “nice to have” benefit, these plans are quickly becoming essential for anyone doing business in an increasingly interconnected digital world.

What is an Incident Response Plan?

An information security incident response plan lays out explicit instructions to guide IT professionals through the process of detecting, responding to, and recovering from any events that threaten network security. Situations such as cyberattacks, data loss, and downtime events would all fall under the broad category of incidents because they have the potential to disrupt network services and endanger valuable data and applications.

When something out of the ordinary occurs, a cyber security incident response team springs into action to identify the problem and resolve it as quickly and efficiently as possible. The incident response procedure outlines the specific steps the team needs to take as it investigates and resolves the issue.

Why is an Incident Response Plan Important?

Having a good response team in place is only part of the challenge. Without a clear incident response plan in place, even the most skilled and experienced team may not know where to start or understand the potential risks involved when a breach or other incident occurs. Time is critical during a network security incident, so having a detailed plan helps the team to prepare and make sure it doesn’t overlook anything in the midst of an emergency.

An IT incident response plan establishes the processes and procedures used to identify, contain, and manage security threats. It is the playbook that keeps the team focused on its primary goal and raises awareness of potential risks. The plan should also outline important obligations beyond the security issue itself, such as what kind of incidents need to be reported to authorities under data breach notification laws like GDPR and California’s new CCPA standard.

What Are the Key Incident Response Procedure Steps?

When developing an incident response procedure, it’s important to be aware of the two industry-standard cyber security incident response frameworks. While these standards incorporate similar components and processes, they use different terminology and groupings when it comes to tasks.

NIST Incident Response Plan Template

The National Institute of Standards and Technology (NIST) is a government agency dedicated to stimulating innovation, fostering industry competition, and enhancing quality of life through technology. Part of that mandate includes a robust focus on cybersecurity, which led the agency to develop its four-step incident response process:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Incident Activity

SANS Incident Response Plan Template

A private organization dedicated to research and education, SysAdmin, Audit, Network, and Security (SANS) has a relatively narrow mandate compared to NIST. Its focus on security led to the development of a separate incident response process that is utilized as a framework by many organizations.

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

What’s the Difference?

In practice, not much. The first two steps of the NIST and SANS frameworks are identical, focusing on creating lists of assets, determining which security events deserve further investigation, and gathering information about any breach that occurs. Where they part company (slightly), is in the third step.

While NIST treats Containment (patching the entry point of a threat), Eradication (removing the threat), and Recovery (getting the affected systems back to normal) as a single step with multiple processes, SANS treats them as separate procedures that function independently. The end result may be the same, of course, but the policies and controls put in place to manage them may look quite different.

How Do You Write an Incident Response Plan

Creating an incident response procedure is an incredibly important step for any organization because it will serve as the go-to resource when a security incident takes place. When developing this plan, organizations should follow a few important steps to ensure they’re addressing the wide variety of impacts a security incident can have on their network and operations.

Identify Critical Network Components

  • Determine which data and systems are mission-critical
  • Replicate and store essential data remotely
  • Prioritize systems for recovery

Address Vulnerabilities in the Network

Develop a Business Continuity Plan

Create an Incident Response Team

  • Identify roles and responsibilities of members
  • Establish communication channels and work processes for network and data recovery
  • Ensure tools, technologies, and physical resources are available for incident response

Train and Educate Staff

  • Distribute incident response plan throughout the organization
  • Prepare incident response teams by conducting regular tests, exercises, and drills
  • Promote ongoing education to raise awareness of new and developing threats

Preparation Makes All the Difference

Taking the time to develop an information security incident response plan provides organizations with a clear roadmap to navigating challenging security threats when they occur. With a thorough plan in place, response teams can work much more quickly to address incidents rather than operating in the dark and stumbling through a potential crisis. Every second matters during a security incident, and any mistake or oversight could potentially result in prolonged downtime or a costly data breach. Developing a comprehensive IT incident response plan puts organizations on the best possible footing to manage these challenges no matter what form they take.

Speak to an Expert About Your Company's Specific Data Center Needs