Security Think Tank: Planning key to incident response

What does a good information security incident response plan look like?

Much has been published about incident response: there is a comprehensive document produced by the US National Institute of Standards and Technology and several thousand books have been published on the subject.  

We at (ISC)2 cover incident response in our CISSP Common Body of Knowledge and divide it into three major components: creation  of a response capability; incident handling and response; and recovery and feedback. There may also be a forensics piece to the incident response and management, which will of course place certain restrictions and requirements on the plan.

However, as Dwight Eisenhower once said: “plans are nothing, planning is everything”. No incident will follow the crafted plan – but by creating a plan, the incident response team will think through what can happen, discuss the options they may take and the decisions they have to make. 

Organisations that have incident response as part of their cyber insurance policy, will still need to plan how to integrate the various specialists and suppliers who are provided as part of the policy.

A good plan will, of course, not just have an IT and security focus. Other parts of the business – such as legal, HR and PR – should be involved. Plans should be made for communicating with the media, regulators and customers if a breach occurs, using all forms of media and individuals should be assigned the responsibility to communicate. 

Various scenarios – examples include being ‘doorstepped’ by a reporter, reacting to a tweet stating a breach has occurred, or reacting to a published ransom demand – should be planned and rehearsed, so the organisation can quickly state its message and the facts to all concerned.

Finally, a good plan will be rehearsed many times. It will not be left on the shelf but will be a living document, used and updated and enhanced regularly.

Adrian Davis is managing director EMEA for (ISC)2

Read more on Data breach incident management and recovery