Learn how to get started on creating your own incident response plan.
Director of Forensic Investigations
CISSP, PFI, QSA
Developing and implementing an incident response plan will help your business handle a data breach quickly, efficiently, and with minimal damage done.
SEE ALSO: How to Manage a Data Breach: 5 Steps to Keep Your Business Safe
So how do you get started?
Here are 6 steps to help you create an incident response plan.
1. Identify and prioritize assets
Once you identify your lists of critical assets, prioritize them according to importance and highest risk. Make sure to quantify your asset values. This will help justify your security budget and show executives what you’re trying to protect and why it’s essential to do so.
SEE ALSO: 6 Phases in the Incident Response Plan
2. Identify potential risksDo research. Look at the greatest current threats against your business systems. Keep in mind that this will be different for every business.
For businesses that process a lot of data online, improper coding could be their biggest risk. For those in a brick-and-mortar environment that offer WiFi for their customers, it may be Internet access. Other businesses may place a higher focus on ensuring physical security. And some businesses may focus on securing their remote access applications.
Here are examples of a few possible risks:
- External or removable media
- Email security
- Social engineering
- Loss or theft
3. Establish proceduresYou can’t just hope you’ll know what to do should you get breached. If you don’t have a set of practiced procedures to follow, a panicked employee could end up making crucial mistakes that could be costly to your organization. Your policies and procedures for handling a data breach should include:
- identifying and containing a breach
- recording information on the breach
- notification and communications plan
- Defense approach
- Employee training
4. Set up a response teamYou’ll need to designate a team that helps coordinate the actions of your company after the discovery of a data breach. The goal for this team is to help coordinate resources during a security incident to minimize impact and restore operations as quickly as possible.
Some of the necessary team roles are:
- Lead Investigator
- IT Director
- Communications Leader
- Documentations and Timeline Leader
- HR/Legal Representative
SEE ALSO: 5 Things Your Incident Response Plan Needs
5. Sell the planYour incident response team won’t be very effective if you don’t have the proper backing and resources to execute the plan. This is true from enterprise organizations to smaller, one-off businesses. That’s why you need to make sure that those who control your company’s purse strings are aware of the need and benefits of having an incident response plan.
Enterprise organizations should make sure executive members are on board with the idea of an incident response team. Smaller organizations should make sure their higher ups are okay with some additional funding and resources dedicated to incident response.
Present your plan with the mindset of how this will benefit the company, both financially and with your brand (think of the damage to your company’s reputation in the event that you suffer a data breach and do a poor job of managing the incident). The better you present your goals to protect your business, the easier it will be for you to obtain any needed funding to create, practice, and execute the plan.
SEE ALSO: 10 Tips for Increasing IT Budget and Security Buy-In
6. Employee trainingJust having an incident response plan won’t help you in a data breach. Your employees need to be aware of the plan and be properly trained on what they’re expected to do should you get breached.
Test the response plan through tabletop exercises. These exercises familiarize your employees with their particular roles in a data breach by testing your response plan through a potential hacking scenario. Through testing your plan, you can identify and address holes in the plan and help everyone involved see where they can improve, and do this when there is no actual risk to your business’s assets.
SEE ALSO: Employee Data Security Training: What You Should Do
Additional tipsHere are a few other things to think about when making your incident response plan:
- Train employees on data security: Help you employees to see their role in maintaining company security through being able to better identify phishing emails, social engineering efforts, and the like. This will help prevent data breaches and keep your employee’s focused on security
- Document everything: Documenting your plan is crucial to having set procedures, and it helps keep everyone on the same page
- Test your employees: Hire ethical social engineers to test employees and their training. This helps employees to practice what they’ve learned and be ready for the real thing
David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.