Incident response plan
The impacts of a disruption, data breach, or cyberattack can be serious. That is why it is important to respond appropriately when an incident occurs in order to limit negative consequences. Incident response can help you with this.
What is incident response?
Incident response is the process an organisation uses to deal with a digital incident and its consequences. It is recommended to have a plan so that the correct actions can be taken when an incident occurs: an Incident Response Plan.
An incident response plan is a set of instructions to help employees detect, respond to, and recover from digital security incidents. For example, in the event of a disruption, a data breach or a digital attack. The aim is to be able to react quickly and calmly to limit damage and minimise repair work.
How do you set up an incident response plan?
To act as effectively as possible in the event of an incident, it is important to have employees who can take on the required tasks. This includes analysing and monitoring threats, but also coordination in the event of an incident. Consider setting up an incident response team. Ensure that it is clear who the members of this team are, what their responsibilities are, and that they are trained.
What risks have occurred in the past? Which threats exist? Which systems are vulnerable? Which threats are most likely to happen? These are all questions that can help you prepare for a potential cyber incident. Making a risk analysis offers you tools for effective monitoring of incidents and which actions to take to reduce risks.
Now that you know what the greatest risks are, you can work out a plan to reduce these risks. Make a clear step-by-step plan. This should describe which steps must be taken and which persons and parties must be involved or informed for every possible incident. Such a plan provides clarity in the event of an incident.
When someone suspects that an incident or threat is taking place, this person must be able to raise the alarm quickly. Make sure your employees know how to report an incident and when this is possible (preferably 24/7). Make sure it is also clear who will communicate with external parties (such as an IT supplier, cloud supplier, or even the emergency services). View an example of an emergency call list (pdf, in Dutch).
Make sure that employees are aware of the hotline, the scenarios, and any other contact persons. If employees know that the plan exists and how to report incidents, they can act quickly.
Ensure that the plans are properly secured and stored safely. But also that the plans are accessible to everyone in the event of an incident. In addition, it is important to keep practising incidents so that proper incident response becomes easier and lessons can be learned from mistakes and obstacles.
Practise a ransomware attack with your incident response team (in Dutch).
How do you ensure effective incident response?
When an incident takes place, it is important that the following phases are completed. You record these phases in the incident response plan.
- In most cases, your business is running as it should and there are no ongoing incidents. You are in a 'business-as-usual' phase. But during this phase you are involved in incident response. You prepare for a possible incident, and you have employees who are involved in monitoring the IT environments.
- When an incident is discovered, you are in an analysis phase. You analyse what happened, what the size and seriousness of the incident is, and you collect data about the incident. In some cases, this may serve as evidence, so it is important to do this accurately.
- After discovering and identifying the incident, it is necessary to find a solution and limit damage. The actions you need to take are completely dependent on the incident. In the event of a malfunction, this will mainly concern the repair of the equipment or the use of a backup. When it concerns a criminal activity, such as a cyberattack, it is important to ensure that the attacker cannot access important information.
- After the incident, the systems can be restored. Check whether unusual behaviour is still taking place and what the cause is. Test if everything is working properly.
- Evaluate the incident and the incident response. Has prompt action been taken? Could the incident have been prevented? These lessons learned can be used to adjust the incident response plan and be used for a possible next incident.