Find out some of the essentials to include in your incident response plan.  

By: David Ellis
SVP, Investigations
CISSP, QSA, PFI
Previously, we outlined 6 first-steps in creating an incident response plan:
  1. Identify and prioritize your assets
  2. Identify your potential risks
  3. Establish procedures
  4. Assemble a response team
  5. Sell your plan to the company decision-makers

incident response planWhen it comes to creating an incident response plan, it can seem a little overwhelming.  Breaking it down into smaller components can help relieve some of your stress by making the project more manageable.  Every business is different and will require different types of training, documents, policies, etc. that are tailored to your company’s specific needs. But there are a few things most businesses should include in their incident response plans.

A helpful way to organize your incident response plan is to have a series of itemized response lists. These are basically a series of “to-do” lists that provide needed information and tasks to perform during a data breach.

SEE ALSO: How to Manage a Data Breach: 5 Steps to Keep Your Business Safe
Here are 5 itemized response lists you’ll want in your incident response plan.

1.  Emergency contact/communications list

This list includes those that should be contacted in the event of a data breach. Those notifications could include:
  • Response team
  • Executive team
  • Legal team
  • Forensics company
  • Public Relations
  • Affected individuals
The list should contain information on how to reach these contacts, and what you need to say.  Pre-prepared emails and talking points can help communicate the issues more clearly and concisely, and could help you to stave off potentially bad press or other negative repercussions early in the event.


2.  System backup and recovery processes list

This list will help you deal with the technical side of a data breach. Here are some things that should be included:
  • Process for disconnecting from the Internet (Your processes need to state who is responsible to decide whether you disconnect or wait and see)
  • System configuration diagrams that include device descriptions, IP addresses, OS, etc.
  • Process for switching to redundant systems and preserving evidence
  • Steps to test the system backup and verify it hasn’t been compromised, and that it will not be affected by the suspected compromised systems
This list gives you quick steps to preserve any compromised data and to quickly handle the breach as well as preserving your systems through backups. This list is crucial to help your business from losing too much data in a breach and to return to business as quickly as possible.

SEE ALSO: 6 Phases in the Incident Response Plan

3.  Forensics analysis list

incident responseThis list is for businesses that have in-house forensic investigations resources. Your team will need to know the areas where to look for strange behavior and have access to system security and event logs.  Some of the tools your team will need may include:
  • Data acquisition tools
  • Write-blockers
  • Clean/wiped USB hard drives
  • Cabling for all connections they could experience in your environment
  • Forensic analysis tools such as, EnCase, FTK, X-Ways, etc
If your business doesn’t have access to an experienced computer forensic examiner in-house, you will want to consider vetting a forensics firm in advance with pre-completed agreements. This helps ensure you get an experienced investigator when you need it.

SEE ALSO: What Does a Cyber Forensic Investigation Do and How Much Does It Cost?


4.  Jumpbag list

This is a list for grab-and-go responses. When responding to a breach quickly, have a list of overall actions your employees need to take right away. It keeps the plan organized and prevents mistakes caused by panic. Some things to include in this list are:
  • Incident handler’s journal to document the incident
  • Incident response team contact list
  • USB hard drives and write-blockers
  • USB multi-hub
  • Flashlight, pens, notebooks
  • All of the lists mentioned in this article
  • USB and/or DVD-ROM containing bootable versions of your OS
  • Computer tool kit
  • Forensic tools and software (if your company has the expertise to perform its own forensic investigations—if not, this is best left to professionals)

5.  Security policy review list

This list deals with the aftermath of the breach and the response to it. It essentially helps your organization analyze the breach and what you can learn from it. This list should include documentation of the following things:
  • When the breach was detected, by whom and what method
  • Scope of the incident/affected systems
  • Data that was put at-risk
  • How the breach was contained and eradicated
  • Work performed or changes made to systems during recovery
  • Areas where the response plan was effective
  • Areas that need improvement
You should look at where your security controls failed, and how to improve them. The purpose of this list is to document the entire incident, what was done, what worked, what didn’t, and what was learned.

Be prepared

You don’t want to have the mentality that you’re protected because you believe that a data breach won’t happen to you. Experiencing any data breach is harsh.  If you aren’t prepared in advance, the damaging affects of the breach will be more severe.  When you have an incident response plan (and rehearse it), should the worst happen, your employees and your business will be able to handle it.

Talk to us about getting a forensic examination!  

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.