Incident response plan
The consequences of a disruption, data breach or cyberattack can be serious. In the event of an incident, it is important that you respond quickly and adequately to limit negative consequences. Incident response can help you with this.
What is incident response?
Incident response is the process an organisation uses to deal with an incident and its consequences. It is advisable to have a plan so that coordinated action can be taken when an incident occurs: an Incident Response Plan. An incident response plan is a set of instructions to help employees detect, respond to, and recover from security incidents. For example, a disruption, a data breach or a digital attack. The aim is to be able to react quickly, calmly, and adequately to limit damage and minimise repair work.
How do you set up an effective incident response plan?
Responsibilities
To act as effectively as possible in the event of an incident, it is important to have employees who can take on the required tasks. This includes analysing and monitoring threats, but also coordination in the event of an incident. Consider setting up an incident response team. Make sure it is clear who the members of this team are and what responsibilities they have, and see to it that they are trained.
Perform a risk analysis
What risks have occurred in the past, which threats exist, which systems are vulnerable, which threats are most likely to happen? These are all questions that can help you prepare for a potential incident. Making a risk analysis offers you tools for effective monitoring of incidents and taking actions to reduce risks.
Describe scenarios
Now that you know where the greatest risks lie, you can work out a plan to mitigate these risks. Make a clear step-by-step plan in which you describe which steps must be taken and which persons and parties must be involved or informed for every possible incident. Such a plan provides clarity in the event of an incident.
Set up a hotline
When someone suspects that an incident or threat is taking place, this person must be able to raise the alarm quickly. Make sure your employees know how to report an incident and when this is possible, preferably 24/7. Make sure it is also clear who is communicating with external parties (such as an IT supplier, cloud supplier or even the emergency services).
Communicate the plans
Make sure that employees are aware of the hotline, the scenarios, and any other contact persons. If employees know that the plan exists and how to report incidents, they can act quickly.
Secure, practice and learn
Make sure that the plans are well secured and kept safe. However, make sure that the plans are accessible to everyone in the event of an incident. In addition, it is important to keep practicing incidents so that prope rincident response becomes a natural action and lessons can be learned from mistakes and obstacles.
How do you ensure effective incident response?
When an incident takes place, it is important that the following phases are completed. You record these phases in the incident response plan.
- In most cases, your business is running as it should and there are no ongoing incidents. You are in a 'business-as-usual' phase. But during this phase you are involved in incident response. You prepare for a possible incident, and you have employees who are involved in monitoring the IT environments.
- When an incident is discovered, you are in an analysis phase. You analyse what happened, what the size and seriousness of the incident is, and you collect data about the incident. In some cases, this may serve as evidence, so it is important to do this accurately.
- After discovering and identifying the incident, it is necessary to remedy the incident and limit damage. The actions you need to take are completely dependent on the incident. In the event of a malfunction, this will mainly concern the repair of the equipment or the use of a backup. When it concerns a criminal activity, such as a cyberattack, it is important to ensure that the attacker cannot access important information.
- After the incident, the systems can be restored. Check whether abnormal behaviour is still taking place and what the cause is. Test if everything is working properly.
- Evaluate the incident and the incident response. Has prompt action been taken? Could the incident have been prevented? These lessons learned can be used to adjust the incident response plan and be used for a possible next incident.
There are many examples and templates available of incident response plans. The National Cyber Security Centre (NCSC) has an incident respons plan Ransomware available (in Dutch, pdf)