One moment please... Incident Response Plan | Havoc Shield
Select Page

Incident Response Plan

{Company name as you\’d like it to appear in your policy:6} Incident Response Plan

Last Updated:

Created By:


Incident Response Plan

This plan details our formal, focused, and coordinated approach to responding to incidents. This plan should be used as a roadmap for implementing our incident response capability.

Effective security is a team effort, which means everybody has a crucial role to play. This policy details the preparations our company has taken to prepare for security incidents, the approved responses, and provides guidance on creating a plan of action.

This plan applies to everyone who works for the company, including our employees, contractors, and third parties who have access to any company data.

Incident Response Team

The Incident Response Team’s mission is to prevent a serious loss of profits, public confidence or information assets by providing an immediate, effective and skillful response to any unexpected event involving computer information systems, networks or databases. The Incident Response Team (IR Team) is led by an Incident Response Coordinator (IR Coordinator).

The IR Coordinator shall identify key resources who can provide relevant assistance. The IR Team may comprise resources who are included on-demand as required by a particular incident, but key members should be identified and properly trained prior to an incident.

Incident Response Team Roles & Responsibilities

Roles and responsibilities on the IR Team:

  • IR Coordinator (key role) : The central liaison and project manager for response to any incidents. This role also maintains the IR Plan, relevant procedures, and ensures other key roles have received adequate training & awareness of their responsibilities to support the company’s incident response capability. For guidance, the IR Coordinator should review the National Institute of Standards & Technology’s Special Publication 800-62, Computer Security Incident Handling Guide .
  • Senior/Executive Management (key role) : Decision makers who can act on information gathered during incident investigation and recovery. This role has the authority to activate other plans, such as business continuity or disaster recovery if appropriate, and may need to provide external communications and investigatory support.
  • General Counsel (key role) : Liaison in cases where external communication or support is needed, such as notifications provided to customers or coordination with law enforcement.
  • Technical Subject Matter Experts: As-needed team members chosen based on skills required to investigate and recover from an incident (e.g. AWS engineer may be part of the team if an incident impacts resources hosted in AWS).
  • Business Subject Matter Experts: Team members with relevant skills in particular business processes, such as account management personnel who can handle customer notifications. Included on the team as-needed based on type and scope of incident.

Incident Definitions

An event is anything that occurs on computers or networks at our company; our logging and monitoring capabilities allow us to identify and track these. An incident is an event which has an adverse effect on our company. Various types of incidents are identified below – note this is not an exhaustive list, and the IR Coordinator should stay alert for new and emerging threats which could cause an incident.

  • Computer Security Incidents (Electronic/Cyber) examples:
    • Denial of Service or Distributed Denial of Service attack (DOS/DDOS), Phishing, Malware, Ransomware, data breach (theft of data by copying)
    • Outage of a service provider, such as an AWS or Azure Region being offline
  • Physical Security Incidents
    • Theft of data-containing devices, such as laptop, USB drive, smartphone
    • Theft of other devices, such as access control card/badge or VPN token
    • Damage to or destruction of a facility (e.g. fire, earthquake)

Preparation Before Incidents

1. Manage Risk

It is essential to identify and reduce risks in order to reduce the likelihood of an incident occurring. Proper risk management must include identification of vulnerabilities and threats to company assets, and adequate measures to reduce the risks identified. The initial IR plan should contain details of company responses to these vulnerabilities.

2. Compile Needed Information & Document Action Plans

Decision making is challenging during a crisis, so it is important that the company have adequately prepared action plans which include all needed information. The IR Coordinator is responsible for documenting particulars including contact information, escalation procedures, and appropriate response procedures for potential incidents (e.g. malware containment and eradication). This information should be regularly reviewed for accuracy and updated as needed.

3. Establish Detection Methods/Alerts

It is imperative that proper detection methods be established, as these provide input for the Incident Response process. As a proactive step, potential attack vectors should be identified during the risk assessment in Step 1; potential attack vectors can include removable media, computer ports, web/Internet-based applications, email, improper usage, loss or theft of equipment, etc. All risks identified should have adequate mitigations in place.

Ongoing monitoring should comprise thorough oversight of activities related to the company’s data wherever it is stored, processed, or transmitted. A variety of sources may be used to achieve this objective, and they are broadly organized into two categories:

  • Automated : such as Intrusion Detection/Prevention Systems (IDS/IPS), network activity monitors, database activity monitors, file integrity software, anti-malware tools, Security Incident and Event Management (SIEM) systems, log correlation engines, etc.
  • Manual : such as problems reported by users, anomalous activity noted by administrators, manual log review (sources may include network device, application, and operating systems), information published by vendors or other reputable sources on vulnerabilities present in systems, etc.

All Detection systems such as IDS/IPS, SIEM, or other security systems must have defined security owners with identified responsibility for responding to alerts generated by such systems.

Audit and activities logs are a key source of incident detection input. For further details on the requirements for company systems to log activity, refer to the Network Security Policy .

4. Test and Train

Once procedures have been documented, the IR Coordinator should arrange for a test of the IR Plan. This testing should include training for all the key role personnel on their assigned duties. Testing & training should be conducted on a routine basis after the initial plan creation, to ensure personnel and plan details are kept current.

Prior to training, it is important to Identify touchpoints to other company policies/processes, such as disaster recovery. Incident Response may require the activation of one or more of these processes, such as an outage at a cloud service provider requiring the use of disaster recovery procedures.

Required Response Steps

1. Analysis & Prioritization

When an incident is detected, the IR Coordinator shall be responsible to form the IR Team and provide an analysis of the incident. This must include initial documentation of the incident details, method of detection, and steps to be followed throughout the remainder of the IR process.

The IR team is responsible for prioritizing incidents once they have been detected. Since prioritization must take into account a variety of factors, it will likely require a cross functional team of company employees. For example, phished administrator credentials are not just an access control/HR issue, but could also allow an attacker to steal data, install malware, etc. The IR Team must take a holistic view of the incident and analyze multiple factors to determine priority, such as the impacts to business function, information and data security, technology, and business recoverability.

Incidents must be assigned a priority from the levels documented below. The priority rating may change during the process of responding to and recovering from an incident, based upon changes in the circumstances.

  • P0 – Critical: The highest priority. P0 incidents are likely to have a catastrophic effect on the company, and therefore require the most attention and resources. P0 examples include a breach of all customer data, entire loss of data center/processing facilities, major pandemic affecting more than 75% of company employees, etc.
  • P1 – High: P1 incidents have a major effect on company operations, which are disrupted until the incident is resolved. P1 examples include a data breach, widespread malware infection, transient DDoS attack, etc.
  • P2 – Moderate: P2 incidents have a noticeable effect on company operations, but the business is able to continue as long as the incident is resolved quickly. P2 examples include a minor malware infection, temporary outage of a utility provider, loss of a primary processing capability (where secondary systems are able to take over), etc.
  • P3 – Low: These incidents have no noticeable effect on operations, but elevate the potential for risks to company operations. They should be addressed in accordance with sound risk management processes. P3 examples include loss of redundant hardware which can be replaced with no system downtime, regionally isolated pandemics (e.g. avian flu), loss of a redundant system capabilities, etc.

2. Containment & Eradication

The IR Coordinator shall be responsible to choose appropriate containment and eradication methods to deal with incidents, based upon the analysis conducted by the IR Team.

Containing the Damage

The IR Team must act to prevent the incident from further impacting company’’s operations. The strategies and methods employed will vary depending on the circumstances of a given incident, but the IR Team and Coordinator should seek to achieve the following goals when choosing a containment strategy:

  • Prevent damage to and theft of company’s assets and resources
  • Preserve evidence to support investigations. Where needed, external resources, such as a forensic investigation firm, may be required.
  • Minimize losses of availability (i.e. ‘pulling the plug’ can stop an active attack, but also renders a system unusable for legitimate users)
  • Achieve highest benefit from resources required to execute the strategy
  • Maximize effectiveness. Analysis should be conducted to identify which strategy provides the highest level of containment while still achieving the preceding goals.

Eradicating the Incident

Eradication activities should follow the containment strategy, and should be focused on removing any remaining components of the incident. These might include the removal of malware from company computers, force-changing passwords for user accounts, and mitigating any vulnerabilities which led to an incident, such as removal of combustible material from computer rooms after a fire.

3. Recovery & Postmortem

Recovery from an incident can begin while other phases of the Incident Response are being conducted, e.g. the removal of malware files as they are discovered on the network. The IR Coordinator must ensure that all impacted systems are returned to normal operations as a result of the chosen containment and eradication strategies; if not, additional work should be planned and executed.

To aid in recovery, the IR coordinator should document procedures and guides for common incidents, such as malware detection and recovery, denial of service attacks, etc. This documentation may be part of other company documents, such as Disaster Recovery (DR) or Business Continuity (BC) plans and procedures.

Once company operations have returned to normal, a postmortem lessons learned should be conducted. This exercise should identify:

  • What went right during the incident response
  • What went wrong during the response, and changes to the IR Plan or procedures to prevent the same issue in the future
  • Root Cause Analysis, and recommendations for company to address the cause via Risk Management (e.g. additional controls or a change in business strategy)

Maintaining Information Security During Incidents

Incidents can lead to losses of data confidentiality, integrity, and/or system availability. While our company’s information security controls seek to reduce the possibility of such loss, unforeseen circumstances may occur.

We prioritize security during an incident according to the list below.

  • Integrity
  • Confidentiality
  • Availability

During an incident, the IR Coordinator must choose containment, eradication, and recovery strategies which minimize impacts according to this prioritization. For example, if confidentiality is the first priority, a strategy which could lead to further data loss but preserves availability should be rejected in favor of a strategy which prevents further data loss at the expense of availability.

No strategy employed by the IR Team or IR Coordinator should knowingly allow additional or avoidable data loss.

Notification and Coordination

The company has a responsibility to notify and coordinate among a variety of stakeholders in the event of an incident. The IR Coordinator is responsible for managing internal notification and coordination, and must involve the appropriate resources to make decisions regarding external notification and coordination.

Internal

The IR Coordinator must notify all relevant company stakeholders, including Senior/Executive Management, General Counsel, and any Subject Matter Experts (collectively the IR Team). Additional notification may be required to internal stakeholders, e.g. an outage may affect business users who will not be part of the recovery effort, but whose work is blocked by the outage.

Containment, Eradication, and Recovery steps are also the responsibility of the IR Coordinator; as such the Coordinator acts as a project manager to schedule the required activities in logical order (e.g. restoring physical premises prior to the installation of computer networks and systems).

External

Due to the nature of data we maintain, it may be necessary to provide notification or coordinate with parties outside of the company. The IR Coordinator must determine if external communication and coordination are required, and involve appropriate company resources, as detailed below.

In the event of a confirmed data breach, the company must provide notification to customers who were impacted. At the discretion of the IR Team (including input from senior management and general counsel), details of the data breach may also be communicated to all customers and/or media. The IR Coordinator must craft appropriate communication based on the circumstances of the incident:

  • No data loss / Loss contained: Notification should include a summary of the incident as well as details of how data loss was contained or mitigated (e.g. data that was breached was hashed, or encrypted and the relevant keys were not breached).
  • Data loss is suspected: Notification must include a summary of the incident, as well as specifics regarding the data breached (e.g. number of records, specific data that was included, such as account numbers). If data loss is confirmed, communication should also include details of any remedial actions the company is taking, such as enhanced controls, identity theft monitoring for affected customers, etc.

External Investigatory Support

Incident investigation and recovery may require outside support. The IR Coordinator must identify relevant external capabilities, such as forensic investigation or specific product support, and arrange for appropriate capabilities as needed. Ideally, these capabilities should be identified prior to an incident, with some procedures in place to activate them when needed (e.g. maintenance contracts, memoranda of understanding, or retainer of services).

Coordination with law enforcement

General counsel and senior management must make a decision regarding the involvement of law enforcement agencies. The IR Coordinator must provide all information available to support these decisions, and coordinate with law enforcement in the incident response process if deemed necessary.

Enforcement

Any user found to have violated this policy will be subject to disciplinary actions, up to and including termination of employment.

Exceptions

Any exception to this policy must be approved in writing by management. Such exceptions will only be granted when there is a legitimate business need and adequate compensating controls exist to reduce the risk of the policy exception.

 

You don't have credit card details available. You will be redirected to update payment method page. Click OK to continue.