Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

How to bullet-proof your incident response plans

Ted Julian describes five steps that will help ensure that your incident response plans work when they are required.

Even in the most carefully thought out incident response (IR) plans, there is room for continual improvement. Anyone who has put a response plan into action knows there is a gulf between the theoretical plan and what actually happens given all the variables and complexities that inevitably occur. Because of this, plans often break down; particularly if they haven't been stress-tested based on different real world scenarios.

Whilst not everything will go according to schedule, a thoroughly tested and validated plan will minimise the impact of an incident which, in turn, leads to faster business recovery times. Indeed, no plan is complete until it has been tested with fire drills and functional exercises that assess its effectiveness and identify potential gaps.

Here we outline some practical steps to improving your incident response plan:

Step one: determine and declare an incident

Not all incidents are equal. The first step to improving an IR plan is to ensure that there is a policy in place that sets IR requirements and standards, with a procedure for each incident type; be it a DDOS attack, a POS system going down, or an intrusion on a workstation. The plan needs to accommodate specific scenarios and should be fine-tuned and tested accordingly. For example, when an incident is declared, the response should be based on the incident type, with well-developed supporting procedures and clear definitions of overall responsibility and chains of command within the organization.

Ensure from the outset that standardized policies are in place across the organization. For example, establishing a decision matrix - based on asset criticality, the impact to the business, and threat type - ensures that when an incident is declared, team members already know, based on severity, who needs to be involved and the timescales required for response and recovery.

In our highly connected world of cloud-based technology and distributed networks, it's also important to think beyond your own organization's procedures. For example, are you subject to any third party or vendor incident response procedures that may need to be integrated into your own plans?

Step two: define roles, responsibilities and authority

One frequently cited gap in IR plans is that the right individuals or support groups are not aware of the plan or of their role in its execution. Since IR is typically a part-time job, plans can also fall down if individuals are not equipped with the resources or authority to pull in the support they need. To avoid this, equip the IR plan with clearly defined roles, responsibilities, and authority; if IT needs to assign further support to deal with an incident, ensure that they have the resources available to do this. What’s more, it’s important to ensure that the individuals involved are properly trained to handle what’s expected of them.
With every good plan, what you leave out can be as important as what is put in. Think, therefore about who does not need to be involved in the communications process; not everyone needs to be involved in every incident.

Finally, ensure the plan draws on the right expertise for the right incident, be it HR, Legal or a Board member. If the incident involves an insider threat, do HR and Legal need to be involved? These teams should have access to the information they need to respond effectively to the incident, which means collecting information, providing routes for it to be updated, including network diagrams, key resources, and support services.

Step three: build in scope for continual improvement

Since IR plans are anything but static, processes must foster continuous improvement. It is only through thorough testing of plans that checks can be put in place to iron out the problems and deal with different outcomes from varying situations. As a result, when a real incident happens, outcomes have been factored in about the routes for information sharing, your decision making, and the roles and responsibilities within the organization. Did the right people have the right information to make the best decisions?

Testing IR plans reviews the technical, operational, communication, and strategic responses to cyber incidents with the aim of making improvements where necessary. It can take different forms, from desktop or paper exercises, to full scale functional exercises implementing parts of the IR plan for different groups. Whichever format they are, the aim is to test them to their fullest degree and to understand not only how well the organization is equipped to deal with an incident, but also how effective the recovery process is so that you can resume normal business operations.

The key steps in every exercise should include:

  • Preparation, detection and analysis
  • Containment and eradication
  • Post incident activity
  • Recovery process.

Step four: communication is key

Especially in the heat of the moment, communications plans can fail due to fundamental errors or omissions. Review and test your communications plan and assign a group whose role it is to keep this updated; the last you thing you need is for a key member to have left the organization or to have changed role.

Maintain an overall communication and escalation plan with multiple channels and alternatives that have been fully tested. Incidents are just as likely to strike when you're least expecting - weekends, evenings, or during holidays - so have checks in place to deal with the eventuality that emails may go un-read or voicemails not answered.

One aspect that should be communicated organization-wide is the process for media interactions. Every IR plan must clearly identify the appropriate spokespeople for media interactions and ensure that everyone in the IR team knows who these are.

Finally, have processes in place to prevent staff on the front line from becoming overwhelmed by incoming queries. Setting up automated responses, emails, or IR messages can prevent those on the front line from becoming besieged.

Step five: measure the impact

Ultimately, IR plans exist in the context of the specific needs of the business, so, when updating an IR plan, re-assess and identify what's important to your business - the risks and threats - and what would have the greatest impact on your business if an incident should happen. This may of course change over time.

Re-examine regularly what the cost is, from a business perspective of loss of data or downtime of a system. What is the maximum amount of time you could be without a system - be it email, CRM or POS? What is the resulting cost per hour or per day of its downtime? Based on this, determine what redundancy, resiliency, and back up measures are required. Having done this, you can set clear objectives for recovery time that are aligned with business requirements.

Post mortems on previous incidents are also critical to the learning process, so, following each incident, carefully examine what could have been improved and how you could get back to business faster.

The reality for us all is that the increasing complexity of incident response makes it easy for critical requirements to fall through the cracks. This is the driving force behind new approaches to incident response management that standardize IR procedures, provide an end-to-end work flow and generate detailed incident response plans while ensuring that reporting and remediation is efficient and compliant. This leads to more resilient, repeatable, and robust processes which ensure that, when an incident happens, you can take the hit and get back up and running quickly, and with as little collateral damage, as possible.

The author
Ted Julian is Chief Marketing Officer, CO3 Systems.

•Date: 23rd July 2014 • US/World •Type: Article • Topic: ICT continuity

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here