Everything You Need to Know About Incident Response Plans

by | Oct 15, 2020 | Security

Everything You Need to Know About Incident Response Plans

So often, the primary focus on security platforms is protecting organizations from the potential dangers of cyberspace, from phishing campaigns and malware to network infiltration and ransomware deployments. However, what happens when an incident does take place? Organizations need to have a robust and thorough Incident Response Plan (IRP) in place to help govern the way they respond to and recover from a security incident.

Your IRP isn’t a stand-alone document. It should be part of a comprehensive and strategic contingency effort, combined with business continuity planning, crisis management, disaster recovery, and life safety.

How Your IRP Fits Into Your Contingency Plan

Your Incident Response Plan (IRP) is one of several components in your business’s overarching contingency plan. The contingency plan itself lives at the highest level – policy and executive summary.

Before creating an IRP, businesses should address the pre-planning and strategy phase of the contingency plan, which consists of a Business Impact Analysis (BIA). Incident response planning is one of several plan and action steps that fall underneath the BIA. Others include business continuity, crisis management, disaster recovery, and life safety.

These plans and action steps are based on your business’s unique environment. Your BIA findings should help guide you in planning these steps.

Overall, contingency planning is made up of seven steps:

  1. Develop a contingency planning policy statement.
  2. Conduct BIA.
  3. Identify preventative protocols.
  4. Develop recovery strategies (backups, redundancy, places to work).
  5. Develop contingency plans (who does what, goes where, works how?).
  6. Conduct plan testing, training, and exercises.
  7. Maintain the plans.

The Basics of an IRP

You will notice that steps 3, 4, and 5 of your contingency plan will end up outlining your IRP. In the IRP, you expand upon that outline with more detailed information. Each incident response plan should consist of the following 7 components.

#1. Incident Identification
Your IRP should clearly define what is considered an incident and what is considered an event. Each of these activities will have a different response path, so determining how to differentiate them is essential.

#2. Incident Assessment
Once you identify an incident, you’ll need to document how to assess the severity of the incident and determine its impacts on the company. Define who will complete this assessment and its completion timeframe.

#3. Lessons Learned
In this step, you’ll conduct a post-mortem of the incident to determine the root cause, as well as discuss how successful your team was at handling the event. Documenting an incident and the process for identification and resolution is critical to improving your IRP in the future.

#4. Annual Review & Testing
An IRP on paper is only successful if you can prove it works during an actual incident. Testing your plan from start to finish will allow you to see what works well and where there are gaps so you can enhance the process.

#5. Responses to Specific Scenarios
Planning for specific incidents that are more prevalent in your industry, as well as those that could impact any organization that utilizes technology to run their business, will help you be as prepared as possible. This step ensures your IRP meets the specific needs of your business.

#6. User Awareness & Training
Define the information you need to provide your employees regarding your security policies and determine how you’ll share it.  Security awareness training helps your team understand your security policies, and it explains how they should adhere to the guidelines to protect your organization’s security.

#7. Cyber-Insurance Review
Conduct an annual review of your IRP and compare it with your current cyber-insurance policy. You should clearly define who is responsible for managing the insurance policy and what is covered to verify that the plan aligns with your coverage.

Why You Need an IRP

Having a robust incident response plan is crucial to the success of any institution’s security policy. It allows you to set measurable standards that can be tested and used in response to security incidents, mitigating potential risks before they occur. It creates a clear path for your security team to follow should an incident occur, and it allows them to build on the process after each incident, making it stronger in case another incident should arise.

Data breaches can be extremely detrimental to organizations, costing both time and money to restore themselves after a security incident. Incident response plans are meant to restore operations quickly and efficiently, saving crucial time during a security event.

How to Test Your IRP

Once you’ve developed a draft of your incident response plan it’s time to test. The first step to testing your IRP is to conduct a vulnerability scan across your entire network in search of gaps in security coverage. The goal of this step is only to identify these vulnerabilities, not to fully exploit them. When the scan is complete, compare the results to your IRP. Does your plan include coverage for all of the vulnerabilities found in the report? If not, you should revise the IRP to include them.

Another important part of testing your IRP is to conduct simulated attacks on your network. This practice will help gauge how effective the steps documented in the IRP are, and how well your team can follow it. After the test, meet with those involved with the incident response to conduct a post-mortem on what worked and what could be improved upon for next time. Ideally, this type of exercise should be conducted annually, at a minimum.


Does your company have an updated Incident Response Plan? Download a copy of our Incident Response Plan template today to determine if your IRP can stand up to today’s cyber challenges.

Download Your Incident Response Plan (IRP) Checklist