incident response business plan

BreachSight

Vendor risk, trust exchange, product features, vendor risk assessments, security questionnaires.

• Security Ratings

Data Leaks Detection

• Integrations

AI Autofill

• Financial Services

eBooks, Reports, & more

What is an incident response plan.

Abi Tyas Tunggal

An incident response plan is a set of written instructions that outline your organization's response to  data breaches ,  data leaks ,  cyber attacks  and security incidents. 

Incident response planning contains specific directions for specific attack scenarios, avoiding further damages, reducing recovery time and mitigating  cybersecurity risk . 

Incident response procedures focus on planning for security breaches and how organization's will recover from them.

Without a formal IR plan in place, organizations may not detect attacks or may not know what to do to contain, clean up and prevent attacks when detected.

Remember, techniques like  IP attribution  aren't always helpful and your organization may not be able to recover stolen data and needs to know what it will do in that event.

Why is Incident Response Planning Important?

Incident response planning is important because it outlines how to minimize the duration and damage of security incidents, identifies stakeholders, streamlines  digital forensics , improves recovery time, reduces negative publicity and customer churn. 

Even small cybersecurity incidents, like a  malware  infection, can snowball into bigger problems that ultimately lead to  data breaches , data loss and interrupted business operations. 

A proper incident response process allows your organization to minimize losses, patch exploitable  vulnerabilities , restore affected systems and processes and close the  attack vector  that was used.  

Incident response encompasses preparation for unknown and known  cyber threats , reliably identifying root causes of security incidents and post-incident disaster recovery.

It allows organizations to establish best practices for incident handling and develop a communication plan that may involve notifying law enforcement, employees and staff.  

Incident response is a crucial component of preventing future incidents and running an organization that processes  sensitive data  like  personally identifiable information (PII) ,  protected health information (PHI)  or  biometrics .

Every security event can have a short term and long term impact on your organization. According to IBM and the Ponemon Institute the average  cost of a data breach  in 2022 was $4.35 million.

Beyond the cost, business continuity, customer loyalty and brand protection are massive concerns, especially as organizations increasingly rely on  third-party vendors . 

While it's impossible to remove all security issues, an effective incident response process can mitigate the largest  cybersecurity risks .

Learn how to create an Incident Response Plan >

Who is Responsible for Incident Response Planning?

Organizations should form a computer security incident response team (CSIRT) who is responsible for analyzing, categorizing and responding to security incidents. 

Incident response teams can include:

• Incident response manager:  oversees and prioritizes actions during detection, containment and recovery of an incident. They may also be required to convey high-severity incidents to the rest of the organization, customers, law enforcement, regulations and the public where applicable.  
• Security analysts:  support and work directly with affect resources, as well as implementing and maintaining technical and operational controls. 
• Threat researchers:  provide threat intelligence and context around security incidents. They may use third-party tools and the Internet to understand current and future threats. Organizations will often outsource this function if the expertise does not exist in-house. If this is your organization, look for tools or services that can  automatically monitor for leak credentials, data leaks  and  third-party and fourth-party vendor security posture . 

That said, effective incident response relies on cross-functional incident response team members from all parts of the organization. 

Without stakeholders from senior leadership, legal, human resources, IT security and public relations, incident response teams can prove ineffective. 

Senior leadership support is particularly necessary to gather necessary resources, funding, staff and time from different teams. This may be a Chief Information Security Officer (CISO) or Chief Information Officer (CIO) at a large organization or even the CEO or a board member at smaller organizations. 

Legal counsel can help the organization understand which data breaches must be reported to regulators and customers, as well as advice around liability for third-party vendor data breaches . 

Where an incident is from an insider threat , human resources can assist with removal of staff and access credentials. 

Finally, public relations are essential to ensure an accurate, consistent and truthful message is communicated to the regulators, media, customers, shareholders and other stakeholders. 

What are the Different Types of Security Incidents?

There are many types of security incidents and ways to classify them. This is largely an organizational decision, what is considered critical at one organization may be minor at another. That said, there are a range of common cyber incidents every organization should be aware of and plan for:

• Ransomware  and other  types of malware
• Man-in-the-middle attacks  
• Social engineering  like  phishing  and  spear phishing
• Exploits  of  CVE -listed  vulnerabilities
• Corporate espionage
• OPSEC  failures
• Data breaches
• Email spoofing
• Domain hijacking
• Typosquatting
• Denial of service (DoS)

Each of these security incidents is common enough to warrant a formal incident response process and recovery plan. Security analysts need to be aware that even small incidents can open up new  attack vectors  that lead to larger attacks. This is why real-time threat intelligence is so important.  

Another important, often overlooked security incident is those that involve your  third-party vendors  and their vendors. This is known as  third-party risk  and  fourth-party risk . 

Security teams need to understand the impact that vendors can have on their organization's security posture . Even if third-parties aren't conducting critical business activities, they still represent significant  vendor risk . 

This is because they may have access to  sensitive data  or property, and your organization may be accountable for their security failures. 

Avoiding incidents is as much about  vendor risk management  as it is about managing your internal  information security ,  data security ,  network security and information risk management .

Look for vendors with  SOC 2  assurance, ask to see their  information security policy  and develop a  vendor management policy  that contains a  third-party risk management framework  that allows your organization to easily perform  cybersecurity risk assessments  on current and potential vendors.

What Tools are Available for Incident Response Teams?

There are tools and industry standards that can be helpful to incident response teams. Tools can be split into three categories:

For prevention, an organization may employ a  security scanner  and a  data leak detection tool  to prevent leaked credentials and other  sensitive data  being exposed due to poor  S3 security  or a lack of  configuration management . 

Detection could be covered by antivirus software,  network intrusion detection systems , security incident and event management (SIEM) software or a  vulnerability  scanner that checks  CVE .

A common response tool is remediation workflows where incident response teams can  request remediation, track and close third-party attack vectors . 

What is the Industry Standard for Incident Response?

There are two frameworks that have become industry standard, the NIST Incident Response Process and the SANS Incident Response Process.

The NIST Incident Response Process is four steps:

• Preparation
• Detection and analysis
• Containment, eradication and recovery
• Post-incident activity

Whereas, the SANS Incident Response Process is six:

• Identification
• Containment
• Eradication
• Lessons learned 

As you can see, both NIST and SANS have all the same components and flow with different verbiage and clustering. 

Whether you follow NIST, SANS or another incident response plan template, your IR plan should:

• Provide an overview
• Identify and describe roles and responsibilities
• Be tailored to specific business risks and needs
• Outline the current state of information security , data security and network security
• Have clear detection and identification procedures
• Specify tools, technologies and resources needed for containment and eradication
• Outline recovery and follow-up tasks
• Have a communication plan
• Be well tested
• Have version control or a section to outline when and who made revisions

What are the Metrics Incident Response Teams Should be Measured Against?

Incident response is like any aspect of an organization, what gets measured gets managed. Ongoing management includes setting and measuring incident response goals, as well as periodically testing the incident response plan in tabletop exercises to ensure that all stakeholders are comfortable with their duties and responsibilities. 

Common metrics include:

• Your  security rating
• Competitor security ratings
• Number of vendors
• Average vendor security rating
• Distribution of vendor security ratings
• Lowest rated vendors
• Least improved vendors
• Highest rated vendors
• Most improved vendors
• Number of security questionnaires  sent
• Number of security questionnaires received
• Vendor risks remediated
• Number of incidents detected
• Number of incidents missed
• Number of incidents requiring actions
• Number of repeat incidents
• Number of known  attack vectors
• Average remediation time
• Number of  data breaches  and  data leaks
• Average vendor security posture
• Number of stakeholders present in incident response plan review meetings
• Number of stakeholders present in incident response plan tabletop exercises
• Possible procurement of cybersecurity software, e.g. software to  automate vendor risk management
• Other security initiatives, e.g. cybersecurity awareness training, website risks, email security,  network security ,  malware  and brand protection

What is the Difference between an Incident Response Plan and Business Continuity Plan?

While an incident response plan and business continuity plan have a similar goals – minimize the impact of unforeseen events and keep the business running – incident response planning generally has a higher level of visibility. 

Incident response plans are concerned with security incidents and breaches that impact information security, network security and data security. 

Business continuity plans focus on creating a system to prevent and recover from potential threats to a company, whether that be personnel, assets or natural disasters.

This is why most organizations have two seperate documents for incident response and business continuity, which often reference each other. 

How UpGuard Scale Your Organization's Incident Response Team by Detecting Data Leaks and Preventing Third-Party Breaches

UpGuard BreachSight  can help monitor for DMARC, combat  typosquatting , prevent  data breaches  and  data leaks , avoiding regulatory fines and protecting your customer's trust through  cyber security ratings  and continuous exposure detection. 

UpGuard Vendor Risk  can minimize the amount of time your organization spends managing third-party relationships by automating  vendor questionnaires  and continuously monitoring your vendors' security posture over time while benchmarking them against their industry. 

Reviewed by

Kaushik Sen

Ready to see upguard in action, ready to save time and streamline your trust management process, join 27,000+ cybersecurity newsletter subscribers.

Related posts

The top cybersecurity websites and blogs of 2023, 14 cybersecurity metrics + kpis you must track in 2024, what are security ratings cyber performance scoring explained, how to prevent data breaches in 2024 (highly effective strategy).

Why is Cybersecurity Important?

What is typosquatting (and how to prevent it).

• UpGuard Vendor Risk
• UpGuard BreachSight
• Product Video
• Release notes
• SecurityScorecard
• All comparisons
• Security Reports
• Instant Security Score
• Third-Party Risk Management
• Attack Surface Management
• Cybersecurity

How to Create an Incident Response Plan + Template

Like business continuity planning , incident management is part of a broader security and emergency management effort that can help an organization respond and recover from disruptions affecting its information systems, mission and business processes, personnel, and primary facility. 

Let’s cover what an incident response plan is, why it’s important, and how to create one below.

What is an incident response plan?

An incident response (IR) plan is a document containing a predetermined set of instructions or procedures to detect, respond to, and limit the consequences of a security incident. These instructions or procedures should help an organization before, during, and after confirmed or suspected security incidents.

What is a cyber incident response plan?

A cyber incident response plan documents the instructions or procedures to detect, respond to, and limit the consequences of cyber attacks against an organization’s information system.

So while an incident response plan may establish procedures to address any security incident, a cyber incident response plan establishes procedures to specifically address malicious computer incidents. Examples of malicious computer incidents include: 

• Unauthorized access to a system or data
• Denial of service attack
• Virus, worm, Trojan horse, or another type of malicious logic that makes unauthorized changes to system hardware, software, or data 

This plan may be included as an appendix of an organization’s business continuity plan. 

In NIST Special Publication 800-34, Revision 1, incident response plan was changed to cyber incident response plan. 

Use trust to accelerate growth

Why is an incident response plan important.

An incident response plan can help an organization detect, respond, and recover from a security incident or event faster and more cost effectively. It clearly lays out what needs to be done so personnel can perform incident response more effectively, efficiently, and consistently. This can help personnel minimize loss or theft of information and disruption of services caused by incidents, which can result in significant cost savings. 

For example, in IBM's 2022 Cost of a Data Breach report , nearly three-quarters of organizations said they had an IR plan, while 63% of those organizations said they regularly tested the plan. The organizations with an IR team that tested an IR plan saved $2.66 million in breach costs on average versus those with no IR team and IR plan testing. This represents a 58% cost savings. 

NIST incident response plan

The NIST SP 800-61 publication — also known as the Computer Security Incident Handling Guide — is designed to help organizations establish successful computer security incident response capabilities and handle incidents efficiently and effectively. Most of its guidelines revolve around analyzing incident-related data and determining the appropriate response to each incident. 

NIST recommends that an incident response plan should include the following:

• A mission statement
• Strategies and goals
• Senior management approval
• An organizational approach to incident response
• How the incident response team will communicate with the rest of the organization and other organizations
• Metrics for measuring the incident response capability and its effectiveness
• A roadmap for maturing the incident response capability
• How the program fits into the overall organization

These recommendations and other guidelines in NIST 800-61 are incorporated in the steps below.

Recommended reading

Essential Guide to Security Frameworks & 14 Examples

How to create an incident response plan

Writing and maintaining an incident response plan requires collaboration and coordination among key stakeholders across an organization Below we’ll outline the step-by-step process to help you get started. 

1. Create an incident response policy

Before starting an incident response plan, you need to establish your organization's incident response policy. This policy is the foundation for your incident response program and should:

• Define which events are considered incidents
• Establish the organizational structure for incident response
• Define roles and responsibilities
• List the requirements for reporting incidents

The plan should then provide a roadmap for implementing your incident response program based on the policy. 

2. Define short and long-term goals of incident response program

The incident response plan should indicate both short- and long-term goals for the program. This will require you to establish metrics for measuring the program’s effectiveness and progress towards those goals.

Examples of metrics are:

• Number of incidents handled
• Total amount of labor spent working on the incident 
• Average time it takes the incident response team to respond to the initial report of an incident

3. Identify the incident response team and its responsibilities.

You should have an appointed incident response team in place to manage security incidents. The incident response plan should indicate who is part of the incident response team and what its main objectives and responsibilities are. 

4. Establish requirements for incident handlers

When an incident occurs, incident handlers must analyze the incident data, determine the impact of the incident, and act appropriately to limit the damage and restore normal services. This requires excellent technical skills in certain areas, such as system administration, network administration, programming, technical support, or intrusion detection. Depending on the staffing model of your incident response team, you may have team members specialize in multiple technical areas or have at least one proficient person in each major area. 

Your organization’s incident response plan should indicate requirements for incident handlers, including how often they should be trained. 

5. Define the incident response process

A critical part of any incident response plan is how it defines the organizational approach to incident response.

The process should include:

• Detection : How are incidents detected? Is automation used?
• Reporting : How are incidents reported by internal and external sources?
• Response : What are the procedures for responding to an incident?
• Review : How is the incident handling process reviewed? Are meetings held after  major incidents? Are follow-up reports created for each resolved incident?

As you consider what steps you’ll take during an incident, you should also consider how you’ll accomplish them efficiently. Incident management tooling can accelerate and streamline your process by automating actions like alerts, pulling metrics reports, coordinating stakeholders, and more. Some tools like  Rootly  even offer additional support and features — like communications and retrospective templates, consultation with incident response experts, and other resources to develop your organization’s incident response capabilities.

6. Define a communications strategy

An incident response plan should explain how the incident response team will communicate with the rest of the organization and outside parties, such as law enforcement, the media, and other incident response organizations. 

The team should plan and document several communication methods in the incident response plan. Examples might include: 

• Telephone calls
• Daily briefings in person
• Voice mailbox greeting for current incident status and update

7. Provide a roadmap for maturing incident response capabilities

Your incident response program should evolve to reflect new threats, improved technology, and lessons learned from major incidents. To ensure it improves and matures over time, you should provide a roadmap in your incident response plan. This roadmap may include holding a “lessons learned” meeting with all involved parties after a major incident. This can be critical for improving security measures and the incident handling process itself over time. 

8. Review, update, and test this plan regularly

According to NIST SP 800-61, incident response plans should be reviewed and tested at least annually to ensure the organization is maturing its information security capabilities over time and making progress towards its goals for incident response. 

Incident response plan template

Use the template below to simplify the process of creating an incident response plan for your organization.

GRC Overview

What is grc and why is it important, the 3 components of grc, navigating cybersecurity governance, 14 common types of cybersecurity attacks in 2023, data governance: definition, principles, and frameworks, how to build a smart data governance strategy, data governance metrics and kpis, what is a risk management strategy + examples, risk assessment: purpose, process, and software + template, what is risk mitigation + strategies, how to create a risk register + template, how to write a business continuity plan + template, what is a change management process + template, what is third-party risk management + policy, compliance and auditing, security compliance: how to keep your business safe & meet regulations, 15 essential regulatory and security compliance frameworks, what is continuous compliance + how to achieve it, how to conduct an effective internal compliance audit, how to implement a grc program, how to implement a grc program + checklist, success metrics for grc programs, how to measure grc maturity, grc tools and resources, grc automation, what is grc software and how does it work, top benefits of adopting grc software, how to choose a grc software solution.

How to Create an Incident Response Plan (+ Free Template)

Jenna Phipps

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More .

While all businesses have to decide what cybersecurity measures they’re going to prioritize, incident response is one that isn’t optional. Incidents are going to happen, and the right (or wrong) one could put your company out of business. No one wants to go out of business because of sloppy preparation.

Preparing for incident response can help you minimize damage from cyber incidents — and prevent the next one from occurring. This guide to incident response plans will help your organization better prepare for incidents and develop a plan that fits your business needs.

Jump ahead to:

What is an Incident Response Plan?

Tips for effective incident response preparation, components of an incident response plan, how to create an incident response plan, free incident response templates, bottom line: developing a strong incident response plan.

An incident is an event that affects your scope of responsibility, and a response is how you deal with the incident. The scope of responsibility for cybersecurity personnel may be limited to cyberattacks on IT systems, such as ransomware attacks, phishing attacks, or DDoS attacks . For IT managers, the scope might expand to encompass physical IT systems and events such as a flooded data center, a lost executive laptop, or squirrels chewing on network cables.

In small companies where managers cover many roles, an incident might broaden to include personnel and business processes with events such as insider data theft , sexual harassment, embezzlement, or the failure of a machine on an assembly line. However, this piece will specifically focus on cybersecurity incidents like attacks and breaches .

Regardless of the incident scope, your goal is to be able to perform the necessary steps and take into account any unexpected contingencies. For that, you need an incident response plan, because responses need to be as quick and thorough as if you’d practiced them (spoiler alert: you should). The foundational principles of incident response preparation and execution outlined below will help you develop your plan.

Read more about incident response .

When your business is preparing for incident response procedures, you should analyze all the cybersecurity risks to your business, educate teams on incidents, and practice incident response scenarios. Ensuring that teams know as much as possible about incidents and your organization’s security systems will lead to better long-term preparation and reduced employee apprehension.

Run a risk assessment

While your security team may already know the majority of risks that the business faces, risk assessments often bring up ones that nobody thought of. Maybe a high-ranking IT employee just left last month, and their admin credentials to the company IAM account never got deactivated. Or maybe there’s a new vulnerability in a very old program, one that nobody worried about because it’s ancient. Maybe the doors to the main office don’t always lock properly, and anyone could just walk in. Risk assessments reveal details that your teams might not otherwise see.

Give team members necessary access

During an incident response scenario, your security and IT teams will need access to any computer systems or security solution necessary to perform their job. This might include an endpoint detection and response platform , a cloud backup solution, or a UEBA tool , depending on the employee’s role and experience. Equally as important, they should already know how to use it. Make sure you train your team on the security solutions in their arsenal before they are forced to use them to mitigate a threat.

Create a logical method for identifying incidents

Security software throws all kinds of false positives, and when a barrage of alerts hits, security teams can quickly be overwhelmed while trying to sort through potential incidents. They need to know how to identify a real incident and triage them by importance.

Your business should develop a logical system to help team members identify legitimate incidents. This could look like a list of characteristics that they check off to determine severity or an alert system that’s tiered based on potential danger.

Run simulations and tests

Once teams know more about potential risks, have access to the right programs, and know how to identify an incident, they need practice. Your security team, as well as potentially any involved IT personnel, should run simulations of an incident so they have hands-on experience mitigating threats. Teams shouldn’t be frozen in fear when the first incident occurs, and hosting plenty of test scenarios will help with that.

Because incident response plans are complex and detailed, they can have plenty of components. We recommend four overall strategies that your plan should include rather than create a laundry list.

Set up an incident response team

Your business won’t have an appropriate response to a security issue if no one knows what they’re supposed to be doing. When developing a response team, make sure that your IT and security teams:

• Know which team members are responsible for sending all alert messages.
• Know which team member is responsible for reporting to any relevant managers.
• Have clear step-by-step instructions so they know which actions to take in order.
• Know which team member they should ask for help if their part of the response plan gets out of hand.

The sooner each team member knows their roles and expectations, the sooner they’ll be able to confidently carry out an incident response scenario.

Additionally, your organization’s executive team may want to be apprised of incident management processes. Whether this looks like quarterly updates or weekly reports, ensure that your incident response team has an agreed-upon method of consistently updating relevant executives. They may want to know:

• How many incidents occurred in a given period of time (whether days, weeks, or months)
• The time frame in which the incident was successfully mitigated
• Any particular challenges that have arisen during a given period of time

Customize for multiple scenarios and systems

Here’s the tricky part of incident response: Not all incidents are equal, and not all computer systems are prioritized equally.

While one basic incident response plan might be the template for all security operations in your business, chances are that the actual response process will look different depending on the network or system affected. It’ll also vary depending on the severity of the incident. For example:

• In a ransomware-related incident, where malicious software has infiltrated a system, a security team might have more steps to follow than a credential stuffing and breach incident on, say, a company’s content planning board.
• Similarly, remediation steps will look different for an attack on a large database of customer information and a breach of an employee’s individual computer.

Incident response plans should be easily customizable for multiple systems and multiple types of attacks. This will take more initial work, but it’ll lead to better security procedures in the future.

Make it flexible

At first glance, this strategy looks like the complete opposite of the one before. How do you customize your incident response plan while also keeping it flexible and generic?

This will depend on your business, your security team, and the variety of systems you need to protect. Generally speaking, technology and personnel changes happen too quickly to be easily captured in a static document. A server web shell attack incident response plan designed last year when your organization had its on-site data center quickly became obsolete once you transitioned some of the servers to the cloud and transitioned others onto virtual machines.

You can still have multiple incident response plans, customized based on the incident or system. But make sure they’re easy to edit. They could be brief, taking a checklist form that can easily be edited. Or maybe they’re hosted in documentation software that automates edits when a policy is changed.

The goal of an incident response document is to be useful, not to consume hours of time to keep them current or to misdirect your team. However, checklists and decision trees can be helpful in keeping the team focused and reducing errors. The trick will be to strike a balance between details and generalizations to maximize utility and minimize obsolescence.

Develop a practical alert methodology

There’s such a thing as too many alerts, and important alerts can also be missed. To ensure neither of these things happen, consider what channel is most appropriate for an alert and vice versa . For example:

• For an urgent alert about a newly developing attack on a critical cloud application, you’ll want to tag all relevant team members in the alert and use the channel that your team will check most frequently. This might be Slack, Teams, or a security-specific application.
• For an alert that comes at the end of an incident response process, sending a mass email is often appropriate, since it isn’t as urgent and has a lot of follow-up information that will clog an app like Slack.

Also, keep in mind that many alerts aren’t sent directly from team members but come automatically from security software. Your IT and security admins will have to configure all solutions so they send alerts at the correct time and in the correct channel. Often, communication tools like Slack and Microsoft Teams integrate with popular security solutions so the alerts can populate in designated channels.

Developing a strong incident response plan can take months of meetings, strategizing, and keeping team members apprised of progress. The following steps will help your team create a strong overall incident response strategy.

Create an overview

Many incident response plan templates have an overview section that clearly states the purpose of the plan. Your teams should know exactly why the plan is important and what details it covers.

Assign tasks logically

Assign tasks to the team members that make sense. Security admins or IT managers should have greater responsibility in a response scenario than your team’s junior engineer or newest intern. That doesn’t mean they don’t have roles, though — they just need to make sense for their position and experience. A junior analyst might be responsible for sending logs of threat scans to their team leader to further study, for example.

Eliminate gray zones

When assigning responsibility, any gray zone or gap in responsibility can lead to confusion or even cause an incident to be overlooked. To prevent any vagueness, assign secondary responsibilities with overlap for every incident, asset, or threat.

In large organizations, some potential incidents, such as a misconfigured cloud data bucket exposed to the internet, may fall between departments. Ultimately, someone will need to step up and take responsibility for those items—and therefore, those incidents as well. For example, assign the cloud team to initially respond to incidents involving cloud assets with the cybersecurity team providing backup resources.

The assignment of backup resources will also be useful as a contingency plan. If your cloud team is based in an office currently disabled by a widespread blackout, a cybersecurity team member in another office assigned as a backup already knows to step up and address cloud issues without delay.

Choose the right documentation software

Your business may only need Google Docs or Microsoft Word for documenting an incident response plan. But you may want software with additional capabilities for creating and updating documents. Look for documentation software that has either security-specific templates or plenty of options that your teams can customize. You’ll want something with flexible templates that you can update easily, since incident response plans may need to change on a regular basis, and you want to eliminate as much manual work as possible.

Create a logical flow of alerts

Which alerts need to go to which team members and at what time? Make sure your automatic alerts are configured in appropriate order. Initial alerts must be examined for validity: is the incident causing a false positive, or should it be mitigated further? Security automation software allows teams to configure alerts to their specifications, setting logical requirements for an alert to be triggered. Personnel should know exactly when to send a manual alert, like an email or Slack message, too.

Be in line with insurance policies

Insurance policies can also heavily influence how businesses respond to an incident—particularly cybersecurity. Some policies require initial contact to be made with an insurer who will deploy their own incident response team. Others might require specific documentation and forensic evidence to pay out on expenses related to an incident. Work with legal counsel and insurance representatives to make sure the requirements are well understood and incorporated into your incident response plans.

Incorporate stakeholder feedback

Plans developed only by those assigned direct responsibility will suit their needs and expectations, but they might overlook the needs and issues of others. Once you’ve drafted an IR plan, send it to any relevant business executives, legal counsel, key vendors, and possibly even affected key customers for feedback. These stakeholders may point out additional considerations to protect the organization against lawsuits, violating regulations, or unnecessary business disruptions.

Once you’ve incorporated appropriate feedback, you’ll be ready with the final draft of the plan.

Keep the incident response plan current

Your business should regularly update incident documentation on a quarterly, annual, or event-driven schedule. Documentation software will help with this. Then you should effectively circulate the incident response documents. The circulation can be through a shared file server, but we recommend using email and printed versions, so key information will remain available for a wide variety of emergencies.

Two leading bodies in the cybersecurity industry provide detailed incident response templates:

• National Institute of Standards of Technology template
• SANS templates (categorized by specific areas of incident response)

While your business may want to copy such a template, they’re also good resources to inform your team’s individual plan, too. These are tools you can use to develop your own template, especially if your team hasn’t done this before and wants to pull from industry leading expertise.

Learn more about the incident response process and different frameworks .

There is no single correct approach or template for an incident response strategy. It will vary depending on your business’s priorities, your IT and security teams’ experience, and the threats you most commonly face. But practicing incident response, giving team members detailed instructions, and carefully documenting processes are just a few ways to strengthen your business’s overall approach to breaches and cyberattacks.

Article written by Chad Kime on Dec. 9, 2021 and updated by Jenna Phipps on Aug. 23, 2023.

Does your business need some additional help developing an incident response strategy? Read about the best incident response software next.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.

Previous article

Next article

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

IT Security Resources

Network security architecture: best practices & tools.

6 Best Ransomware Protection & Removal Tools in 2024

8 Binge-Worthy Cybersecurity Podcasts in 2024

7 Top Threat Intelligence Platforms & Software in 2024

Top Cybersecurity Companies

Top 10 cybersecurity companies.

• 1 Uniqkey – Business Password Manager

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis

Related Articles

12 Data Loss Prevention Best Practices (+ Real Success Stories)

6 Top Open-Source Vulnerability Scanners & Tools

• Skip to content
• Skip to search
• Skip to footer

What Is an Incident Response Plan for IT?

What does an incident response plan do?

An incident response plan is a set of instructions to help IT staff detect, respond to, and recover from network security incidents. These types of plans address issues like cybercrime, data loss, and service outages that threaten daily work.

• Incident response (1:22)
• Network security checklist

Contact Cisco

• Get a call from Sales

Call Sales:

• 1-800-553-6387
• US/CAN | 5am-5pm PT
• Product / Technical Support
• Training & Certification

A sufficient incident response plan offers a course of action for all significant incidents. Some incidents lead to massive network or data breaches that can impact your organization for days or even months. When a significant disruption occurs, your organization needs a thorough, detailed incident response plan to help IT staff stop, contain, and control the incident quickly. For physical disruptors, such as natural disasters and flooding, create a disaster recovery plan .

What is an incident recovery team?

An incident recovery team is the group of people assigned to implement the incident response plan. Generally, these are members of the IT staff who collect, preserve, and analyze incident-related data. Your IT staff may need to work with lawyers and communications experts to make sure that legal obligations are met.

Why do you need an incident response plan?

If your network hasn’t been threatened yet, it will be. If it has, then you know the chaos that can follow a cyber attack. Whether a threat is virtual (security breaches) or physical (power outages or natural disasters), losing data or functionality can be crippling. An incident response plan and a disaster recovery plan help you mitigate risk and prepare for a range of events.

How can you be sure your network is ready for a disaster?

Your network will never be 100 percent secure, so you must prepare both your network and your employees for crises to come. In addition to an incident response plan, you need a thorough disaster recovery plan that can mitigate the damage caused by a disaster.

Are there tools that help automate an incident response plan?

Cisco Umbrella Investigate helps to automate many of the most common steps in an incident response. Investigate's rich threat intelligence adds the security context needed to uncover and predict threats.

Follow the five steps below to maintain business continuity.

How to create an incident response plan

1. determine the critical components of your network.

To protect your network and data against major damage, you need to replicate and store your data in a remote location. Because business networks are expansive and complex, you should determine your most crucial data and systems. Prioritize their backup, and note their locations. These actions will help you recover your network quickly.

2. Identify single points of failure in your network and address them

Just as you should back up your data, you should have a plan B for every critical component of your network, including hardware, software, and staff roles. Single points of failure can expose your network when an incident strikes. Address them with redundancies or software failover features. Do the same with your staff. If a designated employee can’t respond to an incident, name a second person who can take over. By having backups and fail-safes in place, you can keep incident response and operations in progress while limiting damage and disruption to your network and your business."

3. Create a workforce continuity plan

During a security breach or a natural disaster, some locations or processes may be inaccessible. In either case, the top priority is employee safety. Help ensure their safety and limit business downtime by enabling them to work remotely. Build out infrastructure with technologies such as virtual private networks (VPNs) and secure web gateways to support workforce communication.

4. Create an incident response plan

Draw up a formal incident response plan, and make sure that everyone, at all levels in the company, understands their roles. 

An incident response plan often includes:

• A list of roles and responsibilities for the incident response team members.
• A business continuity plan.
• A summary of the tools, technologies, and physical resources that must be in place. 
• A list of critical network and data recovery processes.
• Communications, both internal and external. 

5. Train your staff on incident response

Only IT may need to fully understand the incident response plan. But it is crucial that everyone in your organization understands the importance of the plan. After you’ve created it, educate your staff about incident response. Full employee cooperation with IT can reduce the length of disruptions. In addition, understanding basic security concepts can limit the chances of a significant breach.

Connect with us

• All Cisco Secure Products
• Secure Endpoint
• Secure Firewall
• Cisco SecureX threat response
• Cisco Umbrella
• Breach Defense
• Latest Cybersecurity Reports

Related network security topics

• What Is Vulnerability Management?
• What Is Network Security?
• What Is a Cybersecurity Specialist?
• What Is Cyber Insurance?
• What Is Threat Prevention?
• Network Security Checklist
• What Is Machine Learning in Security?
• What Is a Data Breach?
• What Is Disaster Recovery?

Follow Cisco Secure

• Artificial Intelligence
• Generative AI
• Business Operations
• IT Leadership
• Application Security
• Business Continuity
• Cloud Security
• Critical Infrastructure
• Identity and Access Management
• Network Security
• Physical Security
• Risk Management
• Security Infrastructure
• Vulnerabilities
• Software Development
• Enterprise Buyer’s Guides
• United States
• United Kingdom
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Member Preferences
• About AdChoices
• E-commerce Links
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

Improved incident response planning is a business necessity

Today’s dynamic threat landscape and complex digital environments necessitate a modern, proactive approach to incident response..

Chief information security officers (CISOs) understand the importance of having an incident response plan in place to help decrease the impact of a cyberattack. That’s because despite increased awareness and evolving security technology and practices, cyber threats continue to grow in both volume and sophistication.

Microsoft security researchers have seen a  130.4% increase  in organizations that have encountered ransomware over the past year. Microsoft Threat Intelligence tracks more than 300 unique threat actors, including 160 nation-state actors and 50 ransomware groups.

“As we look at a big rise specifically in social engineering attacks, we are seeing threat actors going after parts of the organization that weren’t as targeted in the past,” says David Ames, Principal and Cyber Strategy and Transformation leader in the Cybersecurity, Risk & Regulatory practice at PwC US. “That complexity is bringing new teams like the help desk or call center to the forefront of IR, which is keeping us on our toes.” 

Beyond the critical step of getting systems back online after an attack, it’s equally vital to help identify and eradicate the cause of the attack. 

“You can’t just reconstitute an environment from a backup,” says Mark Ray, Principal and US incident response leader in the Cybersecurity, Risk & Regulatory practice at PwC US. “There should be proper threat hunting. Once threat actors are in the door, they are entrenched very deeply and it’s hard to get them out. But we aim to have them evicted from the environment before you can even start thinking about bringing systems back online securely. Otherwise, the threat can still exist.” 

The ability to identify and root out threats should be addressed well before an attack as part of a holistic IR plan. It begins with gaining visibility across the IT ecosystem, across on-premises systems and cloud services, which can be difficult to achieve given the pace of digital transformation. Company mergers or acquisitions can further complicate the IT landscape, introducing more vulnerabilities. 

“A lack of understanding of an environment’s architecture can be a significant challenge,” says Jason Lopez, Director of the Detection and Response Team at Microsoft. “With better visibility, you can approach an incident as it’s happening, understand the risks across every pillar, and guide the business on the best decisions to make.”

To help organizations create a more holistic approach to IR, PwC and Microsoft  recently announced a collaboration  that extends their joint incident response and recovery capabilities. The collaboration focuses on three main areas:

• Faster and more effective response:  When a customer experiences a security incident, Microsoft and PwC can mobilize a team of specialists to help contain the cyberthreat, investigate the root cause, and get the client’s systems back up and running quickly. 
• Holistic response:  The collaboration enables a holistic response to incidents. Microsoft can focus on the technical aspects of the incident, such as helping evict the bad actor and restoring systems, while PwC can focus on the business and risk management aspects, such as developing a recovery plan and communicating with stakeholders. 
• Improved security posture:  Lessons learned from IR engagements are used to improve Microsoft’s solutions and the security posture of its customers. Microsoft and PwC work together to help identify and mitigate common security vulnerabilities and to develop new security solutions, thus helping reduce the risk of future incidents.

For more information on the challenges of modern incident response and how Microsoft and PwC work together to help streamline response and recovery efforts,  watch the webcast  featuring PwC’s David Ames and Mark Ray and Microsoft’s Jason Lopez.

Related content

From our editors straight to your inbox, show me more, the biggest data breach fines, penalties, and settlements so far.

New CISO appointments 2024

Top cybersecurity product news of the week

CSO Executive Sessions: Geopolitical tensions in the South China Sea - why the private sector should care

CSO Executive Sessions: 2024 International Women's Day special

CSO Executive Sessions: Former convicted hacker Hieu Minh Ngo on blindspots in data protection

LockBit feud with law enforcement feels like a TV drama

Sponsored Links

• Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.

Join 550+ Business Leaders

Receive our top articles and resources to stay up to date on the latest in tech, IT, and cybersecurity.

How to Create and Test an Incident Response Plan: A Guide for Businesses

Unfortunately, companies of all sizes, industries, and locations are at risk of cyber attacks. Attacks are also becoming increasingly common, complex, and difficult to prevent. That's why having an incident response plan (IRP) is critical to minimizing the impact of security incidents. In this article, we'll provide an overview of incident response plans: what they are, why your organization needs one, and how to create and test an effective IRP.

What is an Incident Response Plan?

An incident response plan is a written document that outlines the steps your organization will take in response to a security incident, such as a data breach, malware attack, or network outage. The goal of an IRP is to minimize the impact of the incident, restore normal business operations quickly, and prevent similar incidents from occurring in the future. An effective IRP should include the following components:

• Identification and classification of incidents
• Notification and escalation procedures
• Incident response team roles and responsibilities
• Containment and eradication procedures
• Recovery and restoration procedures
• Post-incident review and analysis

Why Does Your Organization Need an Incident Response Plan?

Aside from facilitating quick and efficient responses, some important reasons for your business to have an incident response plan include:

Reducing Downtime and Loss of Revenue

When a cyber attack occurs, every minute counts. The longer it takes to respond to an incident, the more damage it can cause to your organization. An IRP helps your organization respond quickly and effectively to security incidents, minimizing the downtime and loss of revenue associated with such incidents.

Minimizing Incident Impacts and Damage to Your Reputation

When a security incident occurs, customers and stakeholders expect your organization to respond quickly and transparently. If your organization fails to respond effectively to a security incident, it can damage your reputation and erode consumer trust. A well executed IRP can help protect your organization's reputation by minimizing the impact of security incidents on your customers and stakeholders. That’s why communication plans are often an important aspect of an IRP; communication plans include specific wording and methods of message delivery for internal teams, external stakeholders, media, and law enforcement.

Complying with Regulations

Many industries are subject to regulations that require business to have an IRP in place. HIPAA, PCI, and GDPR regulations all commonly require incident response plans, and failure to comply can result in costly financial penalties. Having an IRP can help your organization meet the compliance and regulatory standards of your industry.

Acquiring Cyber Insurance

Having an incident response plan is often a requirement for businesses seeking cyber insurance coverage. Many cyber insurance providers require an IRP as part of their underwriting process to assess a company's risk and determine premiums. In addition to helping you secure cyber insurance, an incident response plan also demonstrates to insurers that your organization is taking proactive steps to prevent and mitigate security incidents, which can result in lower premiums or more comprehensive coverage. Not only does an IRP help your organization prepare for and respond to security incidents, but it also provides financial protection in the event of a security incident.

Creating an Incident Response Plan

Creating an effective IRP involves several steps or phases. According to the National Institute of Standards and Technology (NIST) , these steps include:

1)  Preparation

The preparation stage involves assessing your organization's security risks and identifying potential threats. Typically, this includes conducting a risk assessment, identifying critical assets, and defining the roles and responsibilities of the incident response team.

2)  Detection and Analysis

This phase involves monitoring your organization's systems and networks for signs of security incidents, as well as analyzing the incident to determine its scope and severity. To identify and assess the scope of incidents, your team may use a variety of tools and techniques, including network and system monitoring, threat intelligence, and analysis of system logs and other data sources. Once an incident is detected, the team begins the analysis process, which involves gathering evidence, identifying the cause of the incident, and determining the extent of the impact.

3)  Containment, Eradication, and Recovery

This stage involves a few core components. During containment, the response team works to isolate affected systems to prevent the spread of the incident. Eradication involves identifying and removing the root cause of the incident, and finally, recovery involves restoring normal operations and implementing measures to prevent future incidents. As a whole, the goal of this stage is to minimize the impact of the incident on the organization, and to ensure that business operations are restored as quickly as possible.

4)  Post-Incident Analysis

During this stage, the incident response team conducts a detailed review of the incident, including the effectiveness of the response plan, the actions taken by the team, and the impact of the incident on the organization. The team also documents lessons learned from the incident and identifies areas where the response plan could be improved. The goal of the post-incident analysis stage is to continually improve the organization's incident response capability, reduce the likelihood of future incidents, and enhance the organization's overall security posture.

How to Test an Incident Response Plan

Testing your IRP is critical to ensuring that it is effective, and that your incident response team is prepared to respond to security incidents. One way to test your IRP is to conduct a tabletop exercise, which simulates a security incident and tests your organization's response procedures. Typically, an exercise facilitator presents a hypothetical scenario, and then the incident response team works together to respond to the scenario, documenting their actions and decisions. The exercise allows the team to identify gaps in the response plan, improve communication, and refine procedures. It also provides an opportunity to train team members in their roles and responsibilities while evaluating their preparedness for a real incident. Testing an incident response plan with a tabletop exercise should be done regularly to ensure that the plan is up-to-date and effective. Some tips for conducting a successful tabletop exercise include:

• Setting clear objectives and goals for the exercise.
• Involving all relevant stakeholders.
• Providing realistic scenarios and challenges.
• Documenting the results of the exercise and using them to improve your IRP.

Adequately testing your organization’s IRP will require a facilitator with experience in cyber-incident response, as their expertise will assist in generating productive discussions. They will also be able to provide an unbiased perspective into the quality of your plan, as well as your team’s response. Many times, partnering with outside security experts that offer response plan testing is the best way to ensure that your plan is comprehensive, and your that team is prepared.

Ready to Improve Your Security Posture?

Despite the unfortunate reality that cyber incidents are inevitable for many organizations, having an effective incident response plan can help your organization minimize the impact of incidents and restore full business operations quickly. By following the steps outlined in this article, you can create and test an effective IRP that will help protect your organization from the damaging effects of security incidents. Need help creating an incident response plan, or testing your current plan? Blackink IT’s security experts partner with organizations to ensure that their plans are thorough, and that their teams are prepared for quick, efficient, and effective responses. Receive a free incident response tabletop quote by answering four simple questions – receiving your quote takes less than one minute!

Subscribe to the Blackink IT blog

Continue reading....

What is incident response?

Explore how effective incident response helps organizations detect, address, and stop cyberattacks.

Incident response defined

Before defining incident response it’s important to be clear on what an incident is. In IT, there are three terms that are sometimes used interchangeably but mean different things:

• An event is an innocuous action that happens frequently such as creating a file, deleting a folder, or opening an email. On its own an event typically isn’t an indication of a breach but when paired with other events may signal a threat. 
• An alert is a notification triggered by an event, which may or may not be a threat.
• An incident is a group of correlated alerts that humans or automation tools have deemed likely to be a genuine threat. On their own, each alert may not appear to be a major threat but when combined, they indicate a possible breach.

Incident response is the actions that an organization takes when it believes IT systems or data may have been breached. For example, security professionals will act if they see evidence of an unauthorized user, malware, or failure of security measures.

The goals of the response are to eliminate a cyberattack as quickly as possible, recover, notify any customers or government agencies as required by regional laws, and learn how to reduce the risk of a similar breach in the future.

How does incident response work?

Incident response typically starts when the security team gets a credible alert from a security information and event management (SIEM) system.

Team members need to verify that the event qualifies as an incident and then isolate infected systems and remove the threat. If the incident is severe or takes a long time to resolve, organizations may need to restore back up data, deal with a ransom, or notify customers that their data was compromised.

For this reason, people other than the cybersecurity team are typically involved in the response. Privacy experts, lawyers, and business decision makers will help determine the organization’s approach to an incident and its aftermath.

Types of security incidents

There are several ways that attackers try to access a company’s data or otherwise compromise its systems and business operations. Here are several of the most common:

In a ransomware attack, bad actors use malware to encrypt critical data and systems and then threaten to make the data public or destroy it if the victim doesn’t pay a ransom.

Denial of service

In a denial-of-service attack (DDoS attack), a threat actor overwhelms a network or system with traffic until it slows or crashes. Typically, attackers target high-profile companies like banks or governments with the goal of costing them time and money, but organizations of all sizes can be victims of this type of attack.

Man in the middle

Another method that cybercriminals use to steal personal data is to insert themselves in the middle of an online conversation between people who believe they are communicating privately. By intercepting messages and copying them or changing them before sending them to the intended recipient, they try to manipulate one of the participants into giving them valuable data.

Insider threat

Although most attacks are conducted by people outside an organization, security teams also need to be on the lookout for insider threats. Employees and other people who legitimately have access to restricted resources may inadvertently or in some cases intentionally leak sensitive data.

Unauthorized access

A lot of security breaches start with stolen account credentials. Whether bad actors acquire passwords via a phishing campaign or by guessing a common password, once they gain access to a system they can install malware, do network reconnaissance, or escalate their privileges to allow them access to more sensitive systems and data.

What is an incident response plan?

Responding to an incident requires a team to work together efficiently and effectively to eliminate the threat and satisfy regulatory requirements. In these high-stress situations, it’s easy to become flustered and make mistakes, which is why many companies develop an incident response plan. The plan defines roles and responsibilities and includes the steps needed to properly resolve, document, and communicate about an incident.

Importance of an incident response plan

A significant attack doesn’t just damage the operations of an organization, it also affects the business’s reputation among customers and the community, and it may have legal ramifications too. Everything, including how quickly the security team responds to the attack and how executives communicate about the incident, influences its overall cost.

Companies that hide the damage from customers and governments or who don’t take a threat seriously enough may run afoul of regulations. These types of mistakes are more common when participants don’t have a plan. In the heat of the moment, there’s a risk that people will make rash decisions driven by fear that wind up hurting the organization.

A well-thought-out plan lets people know what they should be doing at each phase of an attack, so they don’t have to make it up on the fly. And after recovery if there are questions from the public, the organization will be able to show exactly how it responded and give customers peace of mind that it took the incident seriously and implemented the steps necessary to prevent a worse outcome.

Incident response steps

There’s more than one way to approach incident response, and many organizations rely on a security standards organization to guide their approach. SysAdmin Audit Network Security (SANS) is a private organization that offers a six-step response framework , which is outlined below. Many organizations also adopt the National Institute of Standards and Technology (NIST) incident recovery framework .

• Preparation -  Before an incident occurs, it’s important to reduce vulnerabilities  and define security policies and procedures. In the preparation phase, organizations conduct a risk assessment to determine where they have weaknesses and prioritize assets. This phase includes writing and refining security procedures, defining roles and responsibilities, and updating systems to reduce risk. Most organizations regularly revisit this stage and make improvements to policies, procedures, and systems as they learn lessons or technologies change.
• Threat identification -  In any given day, a security team may receive thousands of alerts that indicate suspicious activity. Some of them are false positives or may not rise to the level of an incident. Once an incident has been identified, the team digs into the nature of the breach and documents findings, including the source of the breach, the type of attack, and attacker goals. In this stage, the team also needs to inform stakeholders and communicate next steps.
• Threat containment -  Containing a threat as quickly as possible is the next priority. The longer bad actors are allowed access, the greater damage they can do. The security team works to rapidly isolate applications or systems that are under attack from the rest of the networks. This helps prevent the attackers from accessing other parts of the business.
• Threat elimination -  Once containment is complete, the team removes the attacker and any malware from affected systems and resources. This may involve taking systems offline. The team also continues to keep stakeholders informed of progress.
• Recovery and restoration -  Recovering from an incident may take several hours. Once the threat is gone, the team restores systems, recovers data from backup, and monitors affected areas to ensure the attacker doesn’t return.
• Feedback and refinement -  When the incident is resolved, the team reviews what happened and identifies improvements that can be made to the process. Learning from this phase helps the team enhance the organization’s defenses.

What is an incident response team?

An incident response team, which is also called a computer security incident response team (CSIRT), a cyber incident response team (CIRT), or a computer emergency response team (CERT), includes a cross-functional group of people in the organization who are responsible for executing the incident response plan. This includes not only the people who remove the threat but also those who make business or legal decisions related to an incident. A typical team includes the following members:

An incident response manager, often the director of IT, supervises all phases of the response and keeps internal stakeholders informed. 

Security analysts research the incident to try to understand what is happening. They also document their findings and gather forensic evidence.

Threat researchers look outside the organization to gather intelligence that provides additional context. 

Someone from management, such as a chief information security officer or a chief information officer, provides guidance and serves as a liaison to other executives.

Human resources specialists help manage insider threats.

General counsel helps the team navigate liability issues and ensures that forensic evidence is collected.

• Public relations specialists coordinate accurate external communication to the media, customers, and other stakeholders.

An incident response team may be a subset of a security operations center (SOC), which handles security operations beyond incident response.

Incident response automation

In most organizations, networks and security solutions generate far more security alerts than the incident response team can realistically manage. To help it focus on legitimate threats, many businesses implement incident response automation. Automation uses AI and machine learning to triage alerts, identify incidents, and root out threats by executing a response playbook based on programmatic scripts.

Security orchestration automation and response (SOAR) is a category of security tools that businesses use to automate incident response. These solutions offer the following capabilities:

Correlate data across multiple endpoints and security solutions to identify incidents for humans to follow up on.

Run a pre-scripted playbook to isolate and address known incident types.

Generate an investigative timeline that includes actions, decisions and forensic evidence that can be used for analysis.

Bring in relevant external intelligence for human analysis.

How to implement an incident response plan

Developing an incident response plan may seem daunting, but it can significantly reduce the risk that your business will be unprepared during a major incident. Here’s how to get started:

Identify and prioritize assets

The first step in an incident response plan is knowing what you’re protecting. Document your organization’s critical data, including where it lives and its level of importance to the business.

Determine potential risks

Every organization has different risks. Become familiar with your organization’s greatest vulnerabilities and evaluate the ways an attacker could exploit them. 

Develop response procedures

During a stressful incident, clear procedures will go a long way toward making sure the incident is addressed quickly and effectively. Start by defining what qualifies as an incident and then determine the steps your team should take to detect, isolate, and recover from the incident, including procedures for documenting decisions and collecting evidence.

Create an incident response team

Build a cross-functional team that is responsible for understanding the response procedures and mobilizing if there’s an incident. Be sure to clearly define roles and account for nontechnical roles that can help make decisions related to communication and liability. Include someone on the executive team who will be an advocate for the team and its needs at the highest levels of the company. 

Define your communication plan

A communication plan will take the guesswork out of when and how to tell others inside and outside the organization what’s happening. Think through various scenarios to help you determine under what circumstances you need to inform executives, the entire organization, customers, and the media or other external stakeholders.

Train employees

Bad actors target employees at all levels of the organization, which is why it’s so important that everyone understands your response plan and knows what to do if they suspect that they’ve been the victim of an attack. Periodically, test your employees to confirm they can recognize phishing emails and make it easy for them to notify the incident response team if they accidentally click on a bad link or open an infected attachment. 

Incident response solutions

Being prepared for a major incident is an important part of keeping your organization safe from threats. Setting up an internal incident response team will give you the confidence that you’ll be ready if you are victimized by a bad actor.

Take advantage of SIEM and SOAR solutions like Microsoft Sentinel that use automation to help you identify and automatically respond to incidents. Organizations with fewer resources can augment their teams with a service provider that can handle multiple phases of incident response. But whether you staff incident response internally or externally, make sure you have a plan.

Learn more about Microsoft Security

Microsoft threat protection.

Identify and respond to incidents across your organization with the latest in threat protection.

Microsoft Sentinel

Uncover sophisticated threats and respond decisively with a powerful SIEM solution, powered by the cloud and AI.

Microsoft Defender XDR

Stop attacks across endpoints, email, identities, applications, and data.

Frequently asked questions

What is incident response for.

Incident response is all the activities that an organization takes when it suspects a security breach. The goal is to isolate and root out attackers as quickly as possible, comply with data privacy regulations, and recover safely with as little damage to the organization as possible.

Who is responsible for incident response?

A cross-functional team is responsible for incident response. IT will typically be in charge of identifying, isolating, and recovering from threats, however there is more to incident response than finding and getting rid of bad actors. Depending on the type of attack, someone may have to make a business decision, such as how to address a ransom. Legal counsel and public relations professionals help ensure that the organization complies with data privacy laws, including appropriate notification of customers and governments. If the threat is perpetrated by an employee, human resources advises on appropriate action.

What is a computer security incident response team (CSIRT)?

CSIRT is another name for an incident response team. It includes a cross-functional team of people who are responsible for managing all aspects of incident response, including detecting, isolating, and eliminating the threat, recovery, internal and external communication, documentation, and forensic analysis.

What are incident response tools?

Most organizations use a SIEM or a SOAR solution to help them identify and respond to threats. These solutions typically aggregate data from multiple systems and use machine learning to help identify true threats. They can also automate response for certain kinds of threat based on pre-scripted playbooks.

What is the incident response lifecycle?

The incident response lifecycle includes six stages:

• Preparation occurs before an incident has been identified and includes a definition of what the organization considers an incident and all the policies and procedures necessary to prevent, detect, eliminate, and recover from an attack.
• Threat identification is a process that uses both human analysts and automation to identify which events are real threats that need to be addressed.
• Threat containment is the actions that the team takes to isolate the threat and prevent it from infecting other areas of the business. 
• Threat elimination includes steps to remove malware and attackers from an organization.
• Recovery and restoration include restarting systems and machines and restoring any data that was lost. 
• Feedback and refinement is the process the team takes to uncover lessons from the incident and apply those learnings to policies and procedures. 

Follow Microsoft

• Chat with sales

Available M-F 6 AM to 6 PM PT.

Incident response (sometimes called cybersecurity incident response) refers to an organization’s processes and technologies for detecting and responding to cyberthreats, security breaches or cyberattacks. A formal incident response plan enables cybersecurity teams to limit or prevent damage.

The goal of incident response is to prevent cyberattacks before they happen, and to minimize the cost and business disruption resulting from any cyberattacks that occur.

Ideally, an organization defines incident response processes and technologies in a formal incident response plan (IRP) that specifies exactly how different types of cyberattacks should be identified, contained, and resolved. An effective incident response plan can help cybersecurity teams detect and contain cyberthreats and restore affected systems faster, and reduce the lost revenue, regulatory fines, and other costs associate with these threats. IBM’s Cost of a Data Breach 2022 Report found that organizations with incident response teams and regularly tested incident response plans had an average data breach cost USD 2.66 million lower than that of organizations without incident response teams and IRPs.

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.

Register for the Cost of a Data Breach report

A security incident, or security event, is any digital or physical breach that threatens the confidentiality, integrity, or availability or an organization’s information systems or sensitive data. Security incidents can range from intentional cyberattacks by hackers or unauthorized users, to unintentional violations of security policy by legitimate authorized users.

Some of the most common security incidents include:

• Phishing and social engineering
• DDoS attacks
• Supply chain atttacks
• Insider threats

Ransomware. Ransomware is a type of malicious software, or malware, that locks up a victim's data or computing device and threatens to keep it locked—or worse—unless the victim pays the attacker a ransom. According to IBM's Cost of a Data Breach 2022 report, ransomware attacks rose by 41 percent between 2021 and 2022.

Learn more about ransomware .

Phishing and social engineering. Phishing attacks are digital or voice messages that try to manipulate recipients into sharing sensitive information, download malicious software, transferring money or assets to the wrong people, or take some other damaging action. Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual—sometimes even an individual the recipient knows personally.

Phishing is the most costly and second most common cause of data breaches, according to IBM's Cost of a Data Breach 2022 report. It’s also the most common form of social engineering—a class of attack that hacks human nature, rather than digital security vulnerabilities, to gain unauthorized access to sensitive personal or enterprise data or assets.

Learn more about social engineering .

DDoS attacks. In a distributed denial-of-service (DDoS) attack, hackers gain remote control of large numbers of computers and use them to overwhelm a target organization’s network or servers with traffic, making those resources unavailable to legitimate users.

Learn more about DDoS attacks .

Supply chain attacks. Supply chain attacks are cyberattacks that infiltrate a target organization by attacking its vendors—for example, by stealing sensitive data from a supplier’s systems, or by using a vendor’s services to distribute malware. In July 2021, cybercriminals took advantage of a flaw in Kaseya's VSA platform  (link resides outside ibm.com) to spread ransomware to customers under the guise of a legitimate software update. Even though supply chain attacks are increasing in frequency, only 32 percent of organizations have incident response plans prepared for this particular cyberthreat, according to IBM's 2021 Cyber Resilient Organization Study.

Learn more about supply chain security.

Insider threats. There are two types of insider threats. Malicious insiders are employees, partners, or other authorized users who intentionally compromise an organization’s information security. Negligent insiders are authorized user who unintentionally compromise security by failing to follow security best practices—by, say, using weak passwords, or storing sensitive data in insecure places. 

Learn more about insider threats .

Incident response planning

As noted previously, an organization’s incident response efforts are guided by an incident response plan. Typically these are created and executed by a computer security incident response team (CSIRT) made up of stakeholders from across the organization—the chief information security officer (CISO), security operations center (SOC) and IT staff, but also representatives from executive leadership, legal, human resources, regulatory compliance, and risk management.

An incident response plan usually includes

• The roles and responsibilities of each member of the CSIRT;
• The security solutions—software, hardware, and other technologies—to be installed across the enterprise.
• A business continuity plan outlining procedures for restoring critical affected systems and data as quickly as possible in the event of an outage;
• A detailed incident response methodology that lays out the specific steps to be taken at each phase of the incident response process, and by whom;
• A communications plan for informing company leaders, employees, customers, and even law enforcement about incidents;
• Instructions for documenting for collecting information and documenting incidents for post-mortem review and (if necessary) legal proceedings. 

It’s not uncommon for the CSIRT to draft different incident response plans for different types of incidents, as each type may require a unique response. According to the IBM®  2021 Cyber Resilient Organization Study , most organizations have specific incident response plans pertaining to DDoS attacks, malware and ransomware, and phishing, and nearly half have plans for insider threats.

Some organizations supplement in-house CSIRTs with external partners providing incident response services. These partners often work on retainer, assist with various aspects of the incident management process, including preparing and executing IRPs.

The incident response process

Most IRPs also follow the same general incident response framework based on incident response models developed by the SANS Institute, the National Institute of Standards and Technology (NIST), and the Cybersecurity and Infrastructure Agency (CISA).

Preparation. This first phase of incident response is also a continuous one, to make sure that the CSIRT always has the best possible procedures and tools in place to respond to identify, contain, and recover from an incident as quickly as possible and within minimal business disruption.

Through regular risk assessment the CSIRT identifies network vulnerabilities, defines the various types of security incidents that pose a risk to the network, and prioritizes each type according to its potential impact on the organization. Based on this risk assessment, the CSIRT may update existing incident response plans or draft new ones.

Detection and Analysis. During this phase, security team members monitor the network for suspicious activity and potential threats. They analyze data, notifications, and alerts gathered from device logs and from various security tools (antivirus software, firewalls) installed on the network, filtering out the false positives and triaging the actual alerts in order of severity.

Today, most organizations use one or more security solutions—such as SIEM (security information and event management) and EDR (endpoint detection and response)—to help security teams monitor and analyze security events in real time, and automate incident detection and response processes. (See “Incident response technologies” for more.)

The communication plan also comes into play during this phase. Once the CSIRT has determined what kind of threat or breach they're dealing with, they'll notify the appropriate personnel before moving to the next stage of the incident response process. 

Containment. The incident response team takes steps to stop the breach from doing further damage to the network. Containment activities can be split into two categories:

• Short-term containment measures focus on preventing the current threat from spreading by isolating the affected systems, such as by taking infected devices offline.
• Long-term containment measures focus on protecting unaffected systems by placing stronger security controls around them, such as segmenting sensitive databases from the rest of the network.

At this stage, the CSIRT may also create backups of affected and unaffected systems to prevent additional data loss, and to capture forensic evidence of the incident for future study. 

Eradication. After the threat has been contained, the team moves on to full remediation and complete removal of the threat from the system. This involves actively eradicating the threat itself—for example, destroying malware , booting an unauthorized or rogue user from the network—and reviewing both affected and unaffected systems to ensure that no traces of the breach are left behind. 

Recovery. When the incident response team is confident the threat has been entirely eradicated, they restore affected systems to normal operations. This may involve deploying patches, rebuilding systems from backups, and bringing remediated systems and devices back online.

Post-incident review. Throughout each phase of the incident response process, the CSIRT collects evidence of the breach and documents the steps it takes to contain and eradicate the threat. At this stage, the CSIRT reviews this information to better understand the incident. The CSIRT seeks to determine the root cause of the attack, identify how it successfully breached the network, and resolve vulnerabilities so that future incidents of this type don't occur. 

The CSIRT also reviews what went well and looks for opportunities to improve systems, tools, and processes to strengthen incident response initiatives against future attacks. Depending on the circumstances of the breach, law enforcement may also be involved in the post-incident investigation. 

As noted above, in addition to describing the steps CSIRTs should take in the event of a security incident, incident response plans typically outline the security solutions that incident response teams should have in place to carry out or automate key incident response workflows, such as gathering and correlating security data, detecting incidents in real-time, and responding to in-progress attacks.

Some of the most commonly used incident response technologies include:

• SIEM (security information and event management) : SIEM aggregates and correlates security event data from disparate internal security tools (for example firewalls, vulnerability scanners, threat intelligence feeds) and from devices on the network. SIEM can help incident response teams fight ‘alert fatigue’ by indicators of actual threats from the huge volume of notifications these tools generate.
• SOAR (security orchestration, automation, and response): SOAR enables security teams to define playbooks—formalized workflows that coordinate different security operations and tools in response to security incidents—and to automate portions of these workflows where possible.
• EDR (endpoint detection and response) : EDR is software that is designed to automatically protect an organization's end users, endpoint devices and IT assets against cyberthreats that get past antivirus software and other traditional endpoint security tools. EDR collects data continuously from all endpoints on the network; it analyzes the data in real time for evidence of known or suspected cyberthreats, and can respond automatically to prevent or minimize damage from threats it identifies.
• XDR (extended detection and response): XDR is a cybersecurity technology that unifies security tools, control points, data and telemetry sources, and analytics across the hybrid IT environment (endpoints, networks, private and public clouds) to create a single, central enterprise system for threat prevention, detection, and response. A still-emerging technology, XDR has the potential to help overextended security teams and security operations centers (SOCs) do more with less by eliminating silos between security tools and automating response across the entire cyberthreat kill chain.
• UEBA (user and entity behavior analytics) : (UEBA) uses behavioral analytics, machine learning algorithms, and automation to identify abnormal and potentially dangerous user and device behavior. UEBA is effective at identifying insider threats—malicious insiders or hackers that use compromised insider credentials—that can elude other security tools because they mimic authorized network traffic. UEBA functionality is often included in SIEM, EDR, and XDR solutions.
• ASM (attach surface management) : ASM solutions automate the continuous discovery, analysis, remediation, and monitoring of the vulnerabilities and potential attack vectors across all the assets in an organization's attack surface. ASM can uncover previously unmonitored network assets, map relationships between assets,

Get the security protection your organization needs to improve breach readiness with an incident response retainer subscription from IBM Security. When you engage with our elite team of IR consultants, you have trusted partners on standby to help reduce the time that it takes to respond to an incident, minimize its impact and help you recover faster before a cybersecurity incident is suspected.

Threat detection is only half of the security equation. You also need a smart incident response to the growing volume of alerts, multiple tools, and staff shortages. Accelerate incident response with automation, process standardization, and integration with your existing security tools with IBM.

With the growing number of laptops, desktops and remote workers, sophisticated cybercriminals have even more open doors to your organization. From these entry points, they can often proceed deep and unnoticed. IBM delivers a turnkey, 24x7 threat prevention, detection and fast response capability, fueled by threat intelligence and proactive threat hunting to identify and remediate advanced threats.

Build a robust strategy for meeting your incident response challenges.

Ransomware is malware that holds victims' devices and data hostage until a ransom is paid.

Insider threats occur when authorized users deliberately or accidentally expose sensitive data or network assets.

Understand your cyberattack risks with a global view of the threat landscape

The Cost of a Data Breach report explores financial impacts and security measures that can help your organization avoid a data breach, or in the event of a breach, mitigate costs.

Understand your cybersecurity landscape and prioritize initiatives together with senior IBM security architects and consultants in a no-cost, virtual or in-person, 3-hour design thinking session.

Cybersecurity threats are becoming more advanced, more persistent and are demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM helps you remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others miss.

NEWS FROM THE EDGE

Tech Tips and Advice from the Experts at Dynamic Edge

A Small Business Guide to Incident Response Plans

As everyone now grudgingly accepts, cyberattacks upon a small business are no longer a matter of “if,” but “when.” Understanding and implementing a cybersecurity Incident Response Plan (IRP) can be the difference between a minor setback and a catastrophic failure. This brief article aims to demystify the IRP, highlight its significance, describe its relationship with Business Continuity Plans (BCP), and emphasize its importance for cyber insurance.

What is an Incident Response Plan?

An Incident Response Plan is a structured approach for handling and managing security breaches or cyberattacks. It outlines the procedures your team should follow to effectively identify, respond to, contain, and recover from cyber incidents. The primary goal of an IRP is to minimize the impact of security breaches while maintaining business operations and reducing recovery time and costs.

Major Components of an Incident Response Plan

An effective IRP comprises six critical components:

• Preparation : This foundational step involves training your team, establishing communication protocols, and equipping your business with the necessary tools and technologies.
• Identification : The ability to detect and identify a security incident quickly is crucial. This involves monitoring systems and networks for signs of a breach.
• Containment : Once an incident is identified, immediate action to contain the threat is vital. This includes isolating affected systems to prevent further damage.
• Eradication : With the threat contained, the next step is to remove it from your systems entirely, ensuring no remnants can cause additional harm.
• Recovery : After eradication, restoring affected systems and returning to normal operations safely is essential. This also involves monitoring for any signs of re-infection.
• Lessons Learned : Perhaps one of the most critical steps involves reviewing and analyzing the incident to improve future response efforts.

Relationship Between an IRP and a Business Continuity Plan

The relationship between an Incident Response Plan (IRP) and a Business Continuity Plan (BCP) is both complementary and critical, forming the backbone of a comprehensive risk management strategy for any business, especially small enterprises. While an IRP is laser-focused on identifying, responding to, and recovering from cyber incidents, a BCP takes a broader view, ensuring that a business can maintain or quickly resume its operations in the face of any disruption, not just cyber-related ones.

Integrating an IRP within a BCP is essential because cyber incidents are unique in their potential to disrupt business operations rapidly and profoundly.

A cyberattack can lead to data loss, financial strain, and damage to a business’s reputation. By having a well-defined IRP as part of a broader BCP, businesses ensure they are prepared not only to handle the immediate aftermath of a cyber incident but also to maintain operational continuity during recovery. This integration helps in prioritizing resources, streamlining communication channels, and minimizing downtime, which is crucial for small businesses where resources are often limited and the impact of disruptions can be significantly magnified.

Moreover, the process of creating and integrating an IRP with a BCP encourages businesses to conduct thorough risk assessments, identify critical assets, and understand their vulnerabilities. This holistic approach to planning enables businesses to develop more robust and resilient strategies, covering everything from technical responses to cyber incidents to maintaining customer service and supply chain continuity in various scenarios. In essence, while an IRP addresses the ‘how’ of responding to cyber threats, a BCP encompasses the ‘what next,’ ensuring the business’s survival and sustained success in the aftermath of an incident.

Importance of an IRP for Cyber Insurance

The importance of an Incident Response Plan (IRP) for obtaining and benefiting from cyber insurance cannot be overstated, especially in today’s digital-first business environment where cyber threats loom large. Cyber insurance policies are designed to mitigate the financial risks associated with data breaches and cyberattacks, covering costs such as legal fees, notification expenses, and even ransom payments. However, the terms, coverage, and premiums of these policies are significantly influenced by the perceived risk level of the insured entity.

Having a robust IRP demonstrates to insurers that a business takes cybersecurity seriously and has proactive measures in place to detect, respond to, and recover from incidents. This proactive stance is crucial because it directly impacts an insurer’s assessment of risk.

Businesses with comprehensive IRPs are often seen as lower risks, which can lead to more favorable insurance terms, including lower premiums and better coverage options.

Furthermore, in the event of a cyber incident, an effective IRP can streamline the recovery process, reducing the financial and operational impact. This efficiency not only aids in quicker claims processing but also minimizes the overall costs associated with the incident—costs that might otherwise be borne by the insurer. Consequently, insurers increasingly require evidence of an IRP during the underwriting process, recognizing that businesses with such plans are more likely to mitigate losses through swift and effective incident response actions. In essence, an IRP not only fortifies a business’s cybersecurity posture but also enhances its insurability, making it an indispensable tool in the modern business’s risk management and insurance strategy.

Why Every Small Business Needs an Incident Response Plan

The reality is stark.  Small businesses are frequent targets for cyberattacks due to perceived vulnerabilities in their defenses. The impacts of such incidents can be devastating, ranging from financial losses to reputational damage. When an attack occurs, you won’t have time to start planning. An IRP serves as a critical defense mechanism, enabling swift action to mitigate these risks. It’s not just about recovery, but also about resilience, ensuring your business can withstand and bounce back from cyber threats.

Want to Learn More?

To further explore the concepts and benefits of an Incident Response Plan, please consider the following resources:

• Cybersecurity & Infrastructure Security Agency (CISA) – Incident Response Guide
• Federal Communications Commission (FCC) – Cybersecurity Planning Guide
• Small Business Administration (SBA) – Cybersecurity Guide

Dynamic Edge Can Help

Since 1999, Dynamic Edge has helped hundreds of small and mid-sized businesses maximize the return on their technology investment. Contact us today for a free network assessment, so that we may help you implement cost-effective security solutions to keep your organization and its clients safe and productive. Our Help Desk features friendly, experienced engineers who answer calls live and solve more than 70% of issues on the first call.

Search the News

Monthly archives, spread the word, other news from the edge.

Your FREE Consultation

• Are you interested in Dynamic Edge's Managed IT, Managed Cybersecurity, Co-Managed IT, or Custom Programming services? Fill out the form below to contact us today and set up your 100% FREE Consultation.
• First Name *
• Last Name *
• Company name *
• Phone Number
• Email Address *
• Google reCaptcha
• Name This field is for validation purposes and should be left unchanged.

Interested in Our Services?

Are you interested in Dynamic Edge’s IT Services? Fill out the form below to let us know how we can best help your business and to set up your 100% FREE IT Consultation.

• Are you interested in Dynamic Edge's Managed IT Services? Fill out the form below to let us know how we can best help your business and to set up your 100% FREE Managed IT Consultation.
• Full Name * First
• Phone Number *
• Phone This field is for validation purposes and should be left unchanged.
• Comments This field is for validation purposes and should be left unchanged.

Join the Dynamic Edge Mailing List

We’re experts in our field. Sign up for our email mailing list to receive news, tips, and more information on how we can help your business stay safe and secure.

• Your Name *
• Your Email Address *
• Company Name

At the end of your visit today, would you complete a short survey to help improve our services?

Thanks! When you're ready, just click "Start survey".

It looks like you’re about to finish your visit. Are you ready to start the short survey now?

Create an incident response plan

A workplace accident or emergency can be a traumatic experience and have a devastating effect on you, your staff and your business.

Having a plan for what to do in these situations can help ensure the continuity of your business.

What is an incident response plan

An incident response plan is a tool used to prepare your business for a disturbance or emergency. It is designed to reduce potential harm and damage to you and your business.

An incident response plan explains:

• what actions need to be taken
• how these actions will be completed
• who will complete them.

An incident response plan is different to a crisis management plan, which deals with an incident that is out of control despite the incident response plan being actioned.

The incident response plan is a key component of your business continuity plan.

Business continuity plan template

The business continuity plan template includes an incident response plan section.

Download the business continuity planning template .

Managing priorities during an incident

During an incident or emergency, you may be faced with many issues happening at the same time which all need to be managed. A well-developed incident response plan will help you prioritise and delegate tasks during an emergency situation.

When developing your plan, consider how you and your staff will respond to:

• physical danger—this is your first priority. Make sure everyone on your premises is safe and receives medical attention if needed.
• feelings of stress, confusion or anger
• intense or negative media attention
• intense or negative responses from your stakeholders
• limited time to make decisions
• key staff being unavailable
• interruptions to your key business operations.

What to include in your incident response plan

A typical incident response plan includes the following items.

Create a checklist for the first actions you'll take when actioning your plan. This may include:

• evacuating and contacting emergency services
• ensuring everyone on your premises is accounted for
• briefing staff
• identifying immediate damage.

Clearly explain how people will evacuate your premises. This may include:

• a floor plan of the site
• an evacuation map with meeting place highlighted
• key contact names and phone numbers
• a staff and visitor log for the day
• a log of people present for completion once in the evacuation meeting place.

An emergency kit is a pack of important items, documents and equipment that you may need in the event of an incident or emergency. Keep your kit somewhere easily accessible so you can grab it if you need to leave quickly or evacuate.

A typical emergency kit contains:

• checklists for potential disasters (e.g. cyclone, severe storm, flood, bushfire, IT threat)
• first aid supplies
• torches, radios and batteries
• key computer data backed up onto an external hard drive or USB
• key contact details (e.g. staff, emergency services, your accountant, power and water companies)
• important business files (e.g. insurance policies, your business continuity plan , financial documents)
• other items you may need (e.g. signs, beacons).

Clearly define which staff will be involved in an incident response, and what their duties will be. This may include

• nominating an incident response team leader
• identifying key roles and who will fill them
• defining the responsibilities of each role.

Develop a list of important contact information. This may include:

• a list of internal contacts (e.g. staff)
• a list of external contacts (e.g. security services, insurance company, utility companies)
• emergency services contacts.

Use an event log to record information, decisions and actions during and immediately after an incident. This generally includes:

• the date and time something has happened
• details of the decision you are making, or action you are taking
• who was involved.

Work-related death, a serious injury or illness, or a dangerous incident

If an injury, illness or dangerous incident has occurred in your workplace you may be legally required to notify Workplace Health and Safety Queensland (WHSQ).

Learn about reporting incidents to WHSQ .

Storing your incident response plan

Consider how you might need to use your plan in an emergency and who might need to access it. Make sure you and other key people can access your plan both on-site and off-site. You could:

• keep a copy of your plan  in the cloud
• keep a copy in another location
• use incident management software
• use internal apps or platforms.

Incident response team

Consider who is the best person to be your incident response team leader—as the business owner, this may not always be you. You may prefer to delegate this responsibility to a trusted senior staff member who:

• has prior experience
• is more regularly at your premises
• you can train to take charge.

Following an incident, employees critical to your business will need to focus on continuing the business, dealing with suppliers, customers, and other key stakeholders such as banks and insurance companies.

When planning your emergency response team, ensure you have suitable people in roles you know they are comfortable and can perform well in. Multiple roles can be performed by the same person if needed.

Even though your business may have a thorough incident response plan, emergency services may assume responsibility during an emergency situation.

Roles and responsibilities

Post-incident review.

Review your incident response procedures after an event or training session to identify gaps or areas where you can improve. Ask for feedback from everyone involved in the incident or training to ensure you pick up on issues from all areas of the response.

Incident response case studies

A fire breaks out in your business, but the staff member who is your appointed fire warden is on leave. Due to regular incident training, you had identified this as a potential risk, and had trained a backup fire warden to carry out the incident response plan.

The plan involved:

• calling 000
• conducting an emergency evacuation
• conducting a head count to ensure all staff and visitors were out of the building
• directing when and how fire extinguishers and fire blankets were to be used and by whom.

Ensure all staff are fully trained in your incident response plan, and know how to follow it should an incident occur.

Conducting regular practice drills within your workplace (e.g. a fire drill) will help all staff know the steps to take when an incident occurs. It will also help you to identify areas that need improvement, and make tweaks to your plan.

A small business had a ransomware attack on a computer. Ransomware is a tool used to encrypt or lock computer data until the business pays money to the attacker.

The business incident response plan included a checklist of immediate steps to take including:

• removing the computer from the network to prevent the spread to other computers and devices
• backing up all files regularly to allow them to be downloaded onto another computer with no ransomware
• contacting external technical support to remove the ransomware
• checking for breaches of data security through an external specialist
• reloading backed up files to the cleaned computer
• conducting a post-incident review.

Read more about online risks and IT security .

Also consider...

• Find out about writing a business continuity plan .
• Read how to develop a recovery plan .
• Last reviewed: 24 Nov 2022
• Last updated: 24 Nov 2022

Incident Response Plan vs Business Continuity Plan

May 8, 2023

An Incident Response Plan (IRP) and a Business Continuity Plan (BCP) are two key components of a comprehensive risk management strategy. They have different goals but can complement each other to help ensure your business is prepared for any disruption. Understanding the differences between these two plans can help you create a contingency plan that meets all of your business’s needs.

An incident response plan (IRP) and a business continuity plan (BCP) are two important documents that organizations should have in place to protect their data and operations. While they are both essential for any organization , they serve different purposes.

An incident response plan is designed to help an organization respond quickly and effectively to security incidents such as data breaches, malware attacks, or other cyber threats. Apart from the disaster recovery plan .

It outlines the steps that should be taken in each phase of incident response, including detection, containment, eradication, recovery, and post-incident analysis.

An effective IRP should also include roles and responsibilities for each team member involved in the process .

On the other hand, a business continuity plan is designed to help an organization prepare for unexpected events that could disrupt its operations. This includes natural disasters such as floods or earthquakes and human-caused disruptions like power outages or cyberattacks.

A BCP outlines the processes and procedures necessary for keeping critical operations running during these events. It also includes strategies for restoring normal operations once the event has passed.

Both an incident response plan and a business continuity plan are essential components of any organization’s cybersecurity strategy and key performance indicators for business continuity management.

They provide guidance on how to respond to incidents quickly and efficiently while minimizing disruption to operations so that businesses can remain secure and resilient in the face of any threat.

What is an Incident Response Plan?

An incident response plan (IRP) is a set of documented procedures that outlines the steps to be taken in the event of a security incident. It should include details on detecting, responding to, and limiting the consequences of malicious cyber activity.

The plan should also identify roles and responsibilities for security team members and provide guidance on how to communicate with stakeholders. Response procedures of service attacks and cyber incidents.

The incident response plan typically consists of six phases: preparation, identification, containment, eradication, recovery, and lessons learned. Preparation involves creating an inventory of assets and identifying potential threats.

Identification is when the security team identifies a malicious event or breach. Containment focuses on limiting the scope and impact of an attack by isolating affected systems or networks.

Eradication involves removing any malicious code or actors from the system. Recovery focuses on restoring normal operations while maintaining data integrity . Finally, lessons learned look at what went wrong during the incident and how it can be prevented in future incidents.

An IRP is designed to address specific incidents or emergencies. Incident response vs business continuity outlines how the organization will respond if it faces an incident or emergency, such as a natural disaster , security breach, or power outage.

The plan should include details on how to alert employees, customers, and other stakeholders; assign roles and responsibilities; assess the damage; take corrective action; and restore operations as quickly as possible.

It should also include information on where to find critical data, such as customer records or financial documents, in case they are destroyed or lost during the incident.

What is a Business Continuity Plan?

A BCP focuses more broadly on how to maintain operations in spite of disruptions . This could include anything from natural disasters to computer system malfunctions. Unlike an IRP, which focuses mainly on responding to an emergency after it has occurred, a BCP looks at ways to prevent potential disruptions from occurring in the first place by developing strategies for dealing with them if they do occur.

A well-crafted BCP will also provide guidance on testing processes and procedures before an incident occurs so that businesses can be sure their plans are effective when needed most.

What’s the difference between BCPs, DRPs, & Incident Response Plans

Business Continuity Plans (BCPs), Disaster Recovery Plans (DRPs), and Incident Response Plans (IRPs) are all important components of an organization’s contingency planning business continuity functions. BCPs are designed to help organizations prepare for and recover from any disruption , whether natural disasters, cyber-attacks, or other unforeseen events.

DRPs focus on the recovery of IT systems and data after a disaster or cyber incident has occurred. IRPs are specific procedures that should be followed when responding to a cyber-attack or other security incident.

Why is an Incident Response Plan Critical to Maintain Business Continuity?

The internet isn’t yet vulnerable to attacks, so it won’t happen. When you suffer unauthorized access to a computer network or other device, the effects may become overwhelming. Disaster Recovery Plans can help reduce risks and prepare for the future.

Recovery plans may reduce the time and cost associated with a security or data breach itself, allowing stakeholders to restructure forensic digital evidence to reduce recovery time, customer churns, and negative publicity. According to the Ponemon Institute, data breaches cost about $3.6m annually.

Who is Responsible for Developing an Incident Response Plan?

CSIRT will assess, classify and address security incidents if deemed relevant to the business. Incident response teams must be composed: Security experts should help and support the affected human resources, , and the team must execute technical and operational measures.

Incident response managers are responsible for the supervision of the investigation, surveillance, and recovery of a specific incident. The company will provide the firm with a severe breach to other employees, regulatory agencies, customer groups and the public if the breach happens.

The individual or team responsible for developing the IRP should have knowledge of the organization’s IT infrastructure and security policies. They should also have experience with incident response processes and procedures. In addition to developing the plan, they should also be responsible for training staff on how to use it in case of a security incident.

Developing Incident response plans and business continuity plans

Identify the plan’s objectives and goals.

Your goal is to maintain business continuity and ensure that you are unable to perform key activities in your essential business operations. These include key business operations throughout the organization: operations personnel, public relations, and communications.

However, each business has its own goal, which is crucial to its operation. It may be different according mainly to the type and size of the company. Once your goal is identified , map your strategic plans accordingly. Make sure the objectives are fully understood.

Identify the important business functions ​

When you’re considering whether your company will operate as an emergency response team or if your business needs other emergency management services, they need assistance. In addition to meeting customer needs, a company must maintain constant supplies of materials, keep track of inventories and meet ship-to-ship targets.

Identify the threat

The only way to reduce security threats accurately is by evaluating their severity. Start with infected hardware or patient zeros. The idea here is to find out who triggered the incident.

Only identifying the incident can give a reliable indication of deteriorating conditions. Instead of replicating the infected device, it is important that you find all the distinct indicators that indicate compromise that can then be used to search your entire property to find additional evidence of compromise.

Create an Incident Response Team

The response to incidents must involve a number of cross-functional leadership roles, as well as anyone else you believe is helpful within the group. Design a leader capable of making the right decisions and making consistent progress.

All staff members should have specialist knowledge in all technical and non-technical domains, a few examples of this include forensic investigations. Requiring outside specialists in incident handling.

Establish a communication plan

In the event of a catastrophe, a proper crisis communications plan is required. You need a communication strategy to communicate effectively with stakeholders within your own organization’s emergency management . In emergencies , communication may be limited by a sample message written for vendors, partners or staff. Incident response teams can improve their coordination of activity based on a carefully planned communication plan .

Conduct a Risk Assessment and Business Impact Analysis (BIA)

The BIA can identify significant threats to the organisation.

Keep the plan updated ​

Business continuity planning is essentially a long-term process . It should be evaluated continuously for its effectiveness. In emergency scenarios, teams may test their readiness through simulation tests. Based on data, adjust plans and review them.

Backup the important data ​

Take a copy of anything you can’t lose. Consider anything from client info through employee documents to company e-mail. The product also requires easy access in a disaster , enabling the firm to return quickly.

Many organisations store large amounts of information online but often rely upon paper documents. Contract documents, tax returns, and payroll documents have many examples . To prevent the loss of documents, use hard copies whenever possible.

What is the importance of an incident management plan? ​

Having ignored recent developments would have been a mistake, if not a major mistake. It’s essential to manage your business . Disruptions can be dangerous for companies – but even for smaller ones.

90% of small business owners are in financial trouble in a year. Those companies risk losing their customers, revenue, and good reputation.

Continue Business Operations

This helps maintain your business operation when a crisis strikes, reducing financial losses too. It gives everyone involved a sense of security and reassures them that your business will continue to grow. Communication across organizations is essential for keeping all employees informed.

It may cause problems in many organizations, with a large number of employees working remotely or with offices worldwide. Organisations should look at introducing solutions to facilitate instant, easy communication.

Gain competitive advantage

Make it easy to convince customers to come to your firm with an effective emergency response plan . How we respond to a crisis reflects much on our business reputation. Write an inspiring tale. Rapid thinking is a good way to be prepared to face the toughest competition.

Protect Your Supply Chain

Remember, natural disasters also affect suppliers . Assuring the distribution of risk across the supply chain ensures your plan provides for supply chain stability.

Reduce Financial Risk

Rapid action during a crisis can reduce the downtime in your business if needed . Longer downtime means greater costs and increased risks . Minimise the risk of damage by replacing functional items as quickly as possible.

When designing your organization’s risk management strategy , it’s important to consider both an Incident Response Plan and a Business Continuity Plan. While they have different goals—the former addressing specific incidents while the latter looking at broader strategies for maintaining operations—they can complement each other when properly implemented.

Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.

Building a Saas Business Continuity Plan Template

Business Continuity vs Disaster Recovery vs Incident Response plans

Leave a Comment Cancel reply

Save my name, email, and website in this browser for the next time I comment.

Reach out to understand more about Enterprise Risk Management, Project Management and Business Continuity.

© 2024 Risk Management

Language selection

• Français fr

Developing your incident response plan (ITSAP.40.003)

From: Canadian Centre for Cyber Security

Awareness series

ITSAP.40.003

May 2021 | Awareness series

Alternate format : Developing your incident response plan ITSAP.40.003 (PDF,  283 KB )

Your incident response plan includes the processes, procedures, and documentation related to how your organization detects, responds to, and recovers from incidents. Cyber threats, natural disasters, and unplanned outages are examples of incidents that will impact your network, systems, and devices. When you have a proper plan, you will be prepared to handle incidents when they happen, mitigate the threats and associated risks, and recover quickly.

Before creating a plan

Before you create an incident response plan, determine what information and systems are of value to your organization. Determine the types of incidents you might face and what would be an appropriate response. Consider who is qualified to be on the response team and how you will inform your organization of your plan and associated policies and procedures.

Conduct a risk assessment

The results of your risk assessment inform your response plan. A risk assessment will identify your assets and analyze the likelihood and impact of your assets being compromised. With your risks and potential threats clearly identified, you can prioritize your response efforts. Some questions to answer during the assessment include:

• What data is valuable to your organization?
• Which business areas handle sensitive data?
• What controls do you currently have in place?
• Can this lead to a privacy breach for your organization?

Develop your policies

Your incident response activities need to align with your organization’s policy and compliance requirements.

Write an incident response policy that establishes the authorities, roles, and responsibilities for your incident response procedures and processes. This policy should be approved by your organization’s senior management and executives.

Establish your response team

The goal of your team is to assess, document, and respond to incidents, restore your systems, recover information, and reduce the risk of the incident reoccurring.

Your team should include employees with various qualifications and have cross-functional support from other business lines.

Roles to consider for your incident response team include:

• Incident handler
• Technical lead
• Human resources specialist
• Communications advisor
• Data analysts

Incidents are unpredictable and require immediate response. Ensure you designate backup responders to act during any absences when an incident occurs.

Create your communications plan

Your plan should detail how, when, and with whom your team communicates. This plan should include a central point of contact for employees to report suspected or known incidents.

Your notification procedures are critical to the success of your incident response. Identify the internal and external key stakeholders who will be notified during an incident. You may have to alert third parties, such as clients and managed service providers. Depending on the incident, you may need to contact law enforcement or a consider engaging a lawyer for advice.

Educate your employees

Update your employees on current incident response planning and execution.

Tailor your training programs to your organization’s business needs and requirements, as well as your employees’ roles and responsibilities. A well-trained workforce can defend against incidents.

An event is an observable occurrence in a system or network (e.g. a user sending email).

An incident is an adverse event in an information system or network, or the threat of such an event.

An environment is your network and everything attached to it, such as peripheral devices (e.g. printers, computers, routers). Is your environment open to everyone or is it secure?

An open environment allows information to be transmitted in and out of the network, without restrictions.

A secured environment restricts what information is allowed in and out of the network.

Create your incident response plan

Your incident response plan should define the objectives, stakeholders, responsibilities, communication methods, and escalation processes used throughout the incident response lifecycle. Keep the plan simple and flexible. Test, revisit, and revise it annually to keep it effective. The following list details the phases of the incident response life cycle which can be followed to structure your plan.

Lay out the objectives of your incident response strategy, as well as your related policies and procedures. Define your goals to improve security, visibility, and recovery.

Implement a reliable backup process to create copies of your data and systems and help you restore them during an outage.

Have a detailed strategy for updating and patching your software and hardware. Use this strategy to track and fix vulnerabilities and mitigate the occurrence and severity of incidents.

Develop exercises to test your plan and response. You can revise and improve your plan using your test results.

Monitor your networks, systems, and connected devices to identify potential threats. Produce reports on a regular basis and document events and potential incidents. Analyze these occurrences and determine whether you need to activate your incident response plan. Determine the frequency and intensity of your monitoring. You may want to consider monitoring your networks on a 24/7 basis or in a more ad hoc manner.

Gain an understanding of the issue so you can contain the threat and apply effective mitigation measures.

An effective mitigation measure is disabling connectivity to your systems and devices to block the threat actor from causing further damage. It might be necessary to isolate all systems and suspend employee access temporarily to detect and stop further intrusions.

Eradicate the intrusion by restoring your systems from a backup. You should also run anti-malware and anti-virus software on all systems and connected devices. If you uncover vulnerabilities, you will need to patch and update your devices.

Preserve evidence and supporting documentation to assist in your analysis of the incident.

4- Understand

Identify the root cause of the incident and collaborate with the response team to determine what can be improved. Evaluate your incident response processes and highlight what went well and which areas require improvement. Create a lessons learned document that details how you will adjust and improve your plan for future incidents.

Document the steps taken to uncover and resolve the incident. This will assist you in responding to future incidents by providing insight into possible mitigation measures and lessons learned to offer a faster, more effective recovery.

Type of incidents

Ransomware is a type of malware that locks you out of files or systems until you pay a ransom to a threat actor. Payment doesn’t guarantee you will regain access to your information.

Data theft occurs when threat actors steal information stored on servers and devices. The data is most commonly accessed using stolen user credentials. Advanced persistent threat (APT) is one method of data theft where a threat actor gains prolonged access to a network without being identified. APT allows attackers to monitor traffic, access sensitive information, and steal data over a prolonged period of time.

Active exploitation takes advantage of unpatched software, hardware, or other vulnerabilities to gain control of your systems, networks, and devices. These attacks can go unnoticed before you have the opportunity to apply a patch or update. Your plan should provide instructions for mitigating active exploitation, such as temporarily suspending Internet access or ceasing online activity.

In-house or professional services

When planning your response plan, determine which actions and services you can conduct internally and which actions you will outsource. Professional services can be obtained to assist you with incident response initiatives, such as developing your plan, determining your backup processes, and monitoring and patching your systems.  

If you want to learn more about some of the key points identified here, check out the following publications.

• Ransomware: How to prevent and recover (ITSAP.00.099)
• Developing your IT recovery plan (ITSAP.40.004)
• Have you been hacked? (ITSAP.00.015)
• Preventative security tools (ITSAP.00.058)
• Tips for backing up your information (ITSAP.40.002)
• Offer tailored cyber security training to your employees (ITSAP.10.093)

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Thank you for your help!

You will not receive a reply. For enquiries, please contact us .

Why Exabeam

• Security Leaders
• Security Engineers
• Security Analysts

Analyst Corner

r-tec entscheidet sich für die Exabeam Security Operations Platform zur Unterstützung seiner SOC-, MDR- und Vorfallsreaktions-Services

• Exabeam Security Log Management
• Exabeam SIEM

Exabeam Fusion

• Exabeam Security Analytics
• Exabeam Security Investigation
• Cloud-scale Security Log Management
• Powerful Behavioral Analytics
• Automated Investigation Experience
• Exabeam Security Operations Platform

Featured Data Sheet

AI-driven Exabeam Fusion: Bring an end to your SIEM nightmares. It’s time for faster, easier, and more accurate threat detection, investigation, and response (TDIR). Exabeam Fusion applies AI and automation to security operations workflows for a holistic approach to combating cyberthreats, delivering the most effective TDIR. AI-driven detections pinpoint high-risk threats by learning normal behavior ... Read more »

• By Industry
• Financial Services
• Higher Education
• Manufacturing
• By Use Case
• Compromised Insider
• Malicious Insider
• External Threats

Featured Solution Brief

Exabeam Fusion on Google Cloud

As cyberattacks become increasingly frequent, sophisticated, and hard to detect, security operationsteams are struggling with the limitations of legacy security information and event management (SIEM) and traditional perimeter security. Traditional platforms haven’t kept pace with the growth of data, the sophistication of attacks, or the shift to the cloud. Nor can it handle the increasing ... Read more »

• Content Library
• The New CISO Podcast
• Exabeam CTF
• TEN18 by Exabeam
• InfoSec Trends
• Security Operations Center
• Incident Response
• SIEM Trends
• Company News
• New-Scale SIEM
• SIEM Security
• Information Security
• Event Logging
• Log Management
• Insider Threats
• MITRE ATT&CK
• Cloud Security
• GDPR Compliance
• PCI Compliance
• HIPAA Compliance

Featured Resource

Solution Briefs

Find a Partner

• Solution Providers
• Global Service Partners
• Tech Alliances
• MSSP & MDR Partners
• Become a Partner
• About the Partner Program
• Partner Portal
• Exabeam for Good
• Diversity and Inclusion

News and Events

• Press Releases
• Documentation
• GitHub Content Library
• Sales Inquiries
• General Inquiries
• Office Locations

Press Enter to search

• Gartner Magic Quadrant
• Product Portfolio
• Industry Solutions and Use Cases
• Product Features
• Exabeam Blog

Library › Business Continuity as Part of Your Incident Response Plan

Business Continuity as Part of Your Incident Response Plan

An incident response (IR) plan without a business continuity component is like a house without a roof — seven months out of the year you could be just fine, but when winter comes, you’re in trouble. The incident response plan reviews and responds to any cybersecurity incident or attack which may, or may not, disrupt business operations. Either way, including a business continuity component is the proactive way to support business operations and critical infrastructure.

Having some critical steps related to business continuity can mean the difference between costly downtime or a barely noticed disruption. Business continuity as a part of your incident response plan prepares you to minimize the impact of an attack while finding and fixing the cause to prevent further damage.

While business continuity often lives within the IT department, when an incident results in an intrusion, the cybersecurity team is a key partner in minimizing the impact on the business. With this in mind, this checklist outlines how to incorporate business continuity steps within your incident response plan.

Read this Guide

Click "Submit” to access this resource now.

Privacy Overview