Maksim Kabakou - Fotolia
An incident response plan (IRP) is an organisation’s individualised structured set of procedures and guidelines that they follow when encountering a security incident or a disruptive event.
These may threaten the confidentiality, integrity, or availability of their information technology systems and/or compromise their data.
The primary goal of an incident response plan is to mitigate the impact of such incidents, minimise potential damage, and restore normal operations as swiftly as possible.
A good IRP consists of several elements such as asset identification, incident classification, containment and eradication, and recovery with lessons learnt.
In order to ensure that an organisation is appropriately prepared for the inevitable attack, it is best that they follow an incident response process that is built in a framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Following the NIST framework incident response process will allow the organisation a way of streamlining a process that most security professionals learn about in the early stages of their careers.
It is a well-known process throughout the cyber security community that can allow cross-organisational collaboration. Using this framework will also aid most organisations to comply with local regulatory requirements.
The NIST incident response process has four main components that can be included in a plan: preparation, detection/analysis, containment/eradication, and recovery. These enable a continuous learning and organisational improvement cycle.
More elements can be added to this, but for most plans, this should be the baseline and/or minimum included in the plan.
It is vital to use a framework like the one from NIST to develop a well-structured plan that can be aligned with the organisation's business goals and risk tolerance.
This is the first step towards gaining and securing the buy-in from the leadership of an organisation and enhancing the organisation's readiness to respond to any security incidents.
The Computer Weekly Security Think Tank on incident response
- Mike Gillespie, Advent IM: Incident response planning is vulnerable to legacy thinking.
- Sam Lascelles, PA Consulting: Use existing structures to build your incident response plan.
- Jack Chapman, Egress: Incident response planning requires constant testing.
- Becky Gelder, Turnkey Consulting: Incident response plans: The difference between disaster and recovery.
- Chris McGowan, ISACA: Enhancing security: The crucial role of incident response plans.