By: Nihad Hassan
May 7, 2021
How To Create A Security Incident Response Plan
By: Nihad Hassan
May 7, 2021
The number of cyberattacks is escalating in both number and sophistication. As the world continues to move steadily to become fully digital, people's dependence on digital technology increases rapidly. As a result, criminals are riding the new digital wave and are shifting their operations to cyberspace.
Global cybercrime damage is expected to cost the world $10.05 trillion annually by 2025. The ongoing spread of the COVID-19 pandemic has forced most global organizations to adapt and shift their workforce to a remote model. This shift to a primarily remote workforce has led to a significant increase in cyberattacks.
A global study conducted by Tanium about the global effects of the COVID-19 pandemic on enterprise and government organizations' security aspects found an increase in the number of cyberattacks during the pandemic. The rise in cyberattacks is expected to remain even after the pandemic ends. According to many studies, most companies are willing to retain a part of their workforce to continue working remotely.
Organizations of all sizes and all different types of industries must prepare to handle security incidents. When an organization's revenue, reputation,business-sensitive data, and customers' data are at stake, an organization needs to develop a plan to identify and respond to cyberattacks. No matter the size of the cyberattack, whether it is a breach or a cyberattack aiming to disrupt an organization's online services, an organization must maintain an incident response plan to mitigate the risks of different types of cyberattacks.
This article will define the term incident response plan and mention the key elements in such a plan.
What is an incident response plan?
An incident response plan defines the roles and responsibilities and offers direction to the security team responsible for handling the security incidents that impact an organization's IT resources.
The incident response plan will define the tools for managing the incident, procedures that must be followed to identify the incident, and steps to investigate the incident, in addition to the notification requirements that must follow any security breach.
An incident response plan allows organizations to respond quickly and promptly to security incidents to limit their overall damage. The incident plan requires continual updates and training for all members involved in implementing it.
Benefits of having an incident response plan
There are various benefits for creating and maintaining an incident response plan; below are the four most critical elements:
- Protect your data: By having an incident response plan, the security team can protect organization data more efficiently. The incident response plan will include procedures to backup data, monitoring logs, and security alerts to detect malicious activities, in addition to implementing patch and access management. All of these procedures will help an organization lower its attack surface and respond rapidly in the event of an attack.
- The incident response plan is a requirement for some compliance regulations: For example, having an incident response plan is a requirement for the PCI DSS regulatory compliance.
- Protect business reputation and increase customer's and stakeholder's trust: Most customers will stop dealing with organizations affected by a data breach. On the other hand, stakeholders will be more willing to work with a company with proper security defenses. An incident response plan is considered part of the organization's overall security defense strategy against cyberattacks.
- Protect your revenue: The cost of a data breach is high. According to digital guardian, in the U.S., a data breach costs a company on average $8.19 million. A clear incident response plan will protect an organization from various security threats and efficiently handle an incident if one occurs.
Incident Response Plan Elements
The key elements of an Incident Response (IR) plan are:
- Introduction: This is the first phase where an organization lists its objectives from creating the incident response plan. Define the responsibilities and roles for all IR plan participants. The plan must also contain scope in addition to plan limitations. The tools (software and hardware) to execute the plan must be defined during this phase.
- Identification and First Response: In this phase, the person/s responsible for identifying the security incident – or breach- must be defined, in addition to preparing and testing the communication channel between various IR team members.
- Containment: In this phase, the security team will contain the security breach and limit its effects on sensitive business and customer data. For example, if the organization has been exposed to a ransomware attack, the security team can try to unplug all affected computers from the network to prevent the ransomware from spreading to other places within the network.
- Eradication: After containing the attack, it's time to investigate the attack's root cause. For example, the security team should discover the vulnerabilities that lead to the security incident they are currently handling. Remove the malware from the infected systems, harden affected systems, and apply the necessary updates and patches.
- Recovery: In this phase, the affected devices and services are returned to the operational environment.
- Lessons learned: After restoring all business operations to the same level before the incident, a meeting with the incident response team must be conducted to address lessons learned from the attack and discuss the best defense measures to prevent similar future attacks from happening.
An incident response plan becomes an integral part of the organization's security defense strategy. All incident response plans share the same key elements; six of them were listed in this article to help begin writing an incident response plan. The National Institute of Security Technology (NIST) provides a guide for developing a comprehensive incident response plan, including a detailed Computer Security Incident Handling Guide.