What is a Cyberincident Response Plan and Do We Need One?

May 15, 2014

With today’s cybersecurity threats, companies need to not only defend their perimeter, but also mitigate the effects of inevitable breaches or other cyberincidents.  This can be done through an effective incident response (IR) plan which identifies risks, and has clear points for decision making and escalation paths.  The objectives of a good IR plan should be to limit damage, increase the confidence of external parties, and reduce recovery time and cost.  A good plan will be pervasive across the whole business.

A deficient plan usually has the following:

  • Out of date or poor design (generic rather than company specific)
  • Not integrated across all segments of the business
  • Only a limited number of people with knowledge of the entire business

The benefits of a strong plan are the following:

  • Improved decision making through establishment of the appropriate decision makers
  • Internal coordination across all segments of the business
  • External coordination with important third parties (law enforcement, forensic experts, etc.)
  • Unity of effort through clear roles and responsibilities in the organization
  • Damage limitation to prevent escalation

The key elements of a strong plan would include the following:

  • Purpose and scope of use for the plan
  • Explanation of the different levels of incident response and how to document the process
  • How to handle various events (categorization and recommended actions)
  • Definition of incident types and affected information assets
  • Identification of the team responsible for incident response and its structure/decision rights and responsibilities
  • Response plans for each incident type along with checklists that would be triggered for the incident
  • Post-incident procedures and documentation

A strong plan is essential to meet the objectives of the mitigation a cyberattack.  As we see often in the news these days, a breach of the company is not likely to be “if,” but “when.”

If you have any questions regarding your company’s cybersecurity or other IT policy questions, please contact Jeff Cook of Aronson’s IT Audit and Advisory Services Group at 301-231-6220.