Developing an incident response plan
An incident response plan determines how your organisation will respond to a cyber security incident. Having a plan in place can dramatically limit damage, improve recovery time and help safeguard your business.
Crucially, incident response plans must have buy-in from the business executives—they are generally the key decision makers and the ones facing the public when there is a significant incident (they may also be the legally responsible office holder). Without their involvement or support, plans can be completely disregarded the moment there is an incident.
These plans also help make cyber security front-of-mind for CEOs and business executives as they detail the known threats facing the business and the risk of compromise.
A good incident response plan should include the following:
- Analysis of the threat environment including the likelihood and severity of potential incidents. Consider industry specific threats, the type and value of data you hold, third party networks and cyber security posture of your networks.
- Identification of key assets, data and critical systems. What are you working to protect and why does it need protecting?
- Plans for each major incident type and different types of data that could be compromised. For example, the theft of personnel data would have a very different response to a ransomware attack. These plans should include timeframes and objectives.
- Key roles and responsibilities of management and staff. It’s crucial all parties involved understand the reporting lines—who will be making decisions, what the decision thresholds are and what involvement there is from senior management.
- Key tools including contact lists, checklists and guides for use during the response.
- A process for alerting necessary stakeholders including the Australian Cyber Security Centre board members, suppliers and external agencies that may be impacted.
- Public relations and media management. What advice can you give your customers/clients? Who is the media spokesperson and what can be said to the media? If businesses fail to manage this well, the reputational damage can far outweigh the actual business cost of the incident.
- Arrangements to regularly review and exercise the plan. A plan might look good on paper but it regularly needs to be exercised to ensure it is effective. Make sure there is a review schedule that considers the frequency of changes to the organisation or the threat environment. For example - for a large organisation that has frequent structural changes or new platforms, consider reviewing every three months. For a smaller organisation, perhaps every six months.
- Post-incident review and reporting. It’s important to document the incident details and response actions, collect the lessons learned and update the incident response plan to improve future responses.
Other actions worth considering include:
- Personal impact: many cyber security incidents have a very real impact on individuals. What support can be provided and how will you manage the human side of this incident?
- Legal exposure: many cyber security incidents result in court cases that can be very expensive. Ensure your legal team/service provider is consulted in the drafting of the incident response plan.
- Business consultation: cyber security incidents are not just an issue for the technology team, they have impact across the business. Consulting on this plan will also assist internal coordination during an incident.
Being fully prepared is your best defence.