A security incident is an event that would cause financial and/or reputational harm, disrupt daily operations, or create compliance issues with state or federal regulations. An Incident Response Plan (IRP) tackles those problems ahead of time, allowing planning when cooler heads can think clearly.
You should develop an IRP to guide your organization’s responses to security incidents. Your plan should include accurate contact information, the correct order to take steps, and other measures needed when dealing with information systems security incidents or suspected information technology misuse.
You should review your Incident Response Plan at least annually.
Who should be involved when developing an Incident Response Plan?
This really depends on your organization. Typically, we recommend your Risk Management, Information Technology, Information Security, and Management teams, with your IS department the primary owner of the plan. But part of development is making a start, then determining who else has a role.
What elements make up a good Incident Response Plan?
A good plan will include, of course, your designated Incident Response Team, along with their clearly defined roles and responsibilities. It will also identify potential stakeholders and important third-party contacts.
The third-party contact information you should typically keep up-to-date includes:
- Law enforcement
- Cyber Insurance Provider
- Regulatory Authorities (i.e., FDIC, OCC, TDFI, etc.)
- Managed IT Provider
- Legal
- Employees
Your plan also should define steps you need to take to contain, eradicate and recover from an incident. It should include steps you’d take to communicate with internal and external stakeholders (including customers, employees, and regulators.)
And it should include what information should be gathered and documented during an incident.
How can we test our IRP?
A tabletop exercise is based on a realistic but fictitious security incident. When we run tabletop exercises for our clients, the organization’s Incident Response Team, with our guidance, walks through the organization’s response to the information presented in the scenario following the Incident Response Plan.
How have IR plans helped in real life?
Everything an organization would need during an incident should be available in their IRP – when to notify the Security Officer, IRT, etc., and when to notify regulators, contact information, criteria for the severity of an incident and other important factors.
If you would like assistance in updating – or even developing – an incident response plan for your organization, contact us. Our team of experts can explain our process and answer questions when you call.