Organizations have realized that there is no silver bullet to stop rapidly evolving cybersecurity attacks. However, many have continued to struggle for years with finding the appropriate information and scope to be able to build an IR plan that works just right for their organization. For those that have an IR plan in place, most are underdeveloped and underfunded, and as a result fall short in terms of effectiveness when an incident actually takes place. Anton Chuvakin sums this point up nicely on the Gartner Blog Network:

“This advice — to create an IR plan, now nearly a quarter of a century old — is certainly not heeded by all organizations; organizations continue to struggle with the right amount of information and the right scope of their incident response plans. […] Furthermore, the ‘aha’ moment for many organizations is in drawing the line between ‘doing the planning’ and ‘having a plan.’”*

Irrespective of the size of organization, having a comprehensive approach to incident response is crucial to survive the attack and to reduce the impact and costs of recovery. Most importantly, the IR plan should be practical enough for your organization to act rapidly and effectively in the event of a compromise.

An effective incident response plan should:

1. Be simple but accurate

The IR plan should be clear, simple and guide the incident response team to make a rapid and detailed determination of the who, what, how, when, and why. The plan should also provide accurate guidance so that the organization can determine the system and data under attack and take actions to preserve critical assets.

2. Have detailed roles and responsibilities

Clearly lay out the roles and responsibilities of all the stakeholders. Businesses, and in particular each individual employee, must have a clear idea of their tasks to complete in the case of an incident, and appropriate actions must be carried out to mitigate the impact and protect loss of sensitive data.

3. Bring together technical and non-technical teams

The IR plan should not be confined just to the IT or security department. The IR plan is effective only if both the technical and non-technical teams – such as Legal, Compliance, Human Resources, Public Affairs, etc – are committed and take part in the execution of the IR plan. Take time to develop relationships with internal and external stakeholders who may be able to help the organization respond to a serious incident.

4. Provide a classification framework

Create an incident classification framework so that you can properly prioritize the incident response activities. Classification will also help you derive meaningful metrics such as type, severity, attack vector, impact, and root cause for future remediation purposes.

5. Understand the organization's priority

Lastly, the IR plan should align with your organizational priorities. Determine what matters most for your organization and weave those priorities into your IR activities. For example, if your mission critical medical devices are under attack, ensuring patients’ safety is your top priority. If you are manufacturer and your manufacturing process is interrupted, then restoring operations is your top priority.

*Source: Gartner, Inc., How to Plan and Execute Modern Security Incident Response, Anton Chuvakin and Augusto Barros, April 7, 2016.

Read more in our Field Guide to Incident Response Series

1. 5 Key Criteria for Creating an Incident Response Plan that is Practical for YOUR Organization
2. The Do’s and Don’ts of Incident Response
3. Building Your Incident Response Team: Key Roles and Responsibilities
4. Creating an Incident Response Classification Framework
5. The Five Steps of Incident Response
6. 3 Tips to Make Incident Response More Effective
7. Using Existing Tools to Facilitate Incident Response
8. Learning From a Security Incident: A Post-Mortem Checklist