Check Out BlueVoyant's ROC-Solid Advantage in the Latest eBook

Learn More
Seach

Guide: Incident Response

What Is an Incident Response Policy and How to Create One

An incident response policy is a detailed document that specifies how an organization prepares itself for cybersecurity incidents. It defines the organization’s approach and strategy to incident response, the resources allocated to incident response, those responsible for incident response in the organization, relevant tools and resources and how to implement an incident response operation in the company.

Part of an incident response policy is a detailed plan outlining how incident responders should detect, contain, and eradicate cyber threats, known as an incident response plan.

Related content: Read our guide to incident response plan

Under attack? Get help from the BlueVoyant incident response team

Incident Response Policy Purpose and Scope

An incident response policy mandates the incident response activities carried out by an organization. A framework is necessary to ensure the organization can implement the appropriate response quickly and decisively. 

The incident response policy applies to all responses to security incidents originating from, directed toward, or otherwise affecting the organization. The Cyber Incident Response Team (CIRT) manages incidents under the policy. 

The incident response policy is a precursor to an incident response plan that outlines the organization’s processes and procedures for responding to security incidents. Response procedures may include performing event triage, identifying escalation paths, containing incidents, eradicating threats, preserving evidence, and notifying the relevant parties. The incident response plan defines which CIRT members are responsible for each activity, assigns resources, and specifies the capabilities of third-party solutions or services.

If the CIRT identifies an event as a security incident requiring further attention, the organization must notify the relevant stakeholders. The incident response policy should specify who requires notification, while the incident response plan defines how the organization notifies them. Incident escalation procedures must include notifying all individuals involved in the incident response effort. The CIRT is responsible for informing stakeholders when escalating an incident and regularly communicating the response progress.

What should an incident response plan contain?

An organization’s incident response plan should define methods for triaging the impacted systems. These processes must enable the organization to determine the scope and impact of events from the business and technical perspectives. Organizations should incorporate industry standards and best practices in their incident response plans, including regulatory and legal requirements regarding security and communication. 

The plan should include all potential response strategies based on impact risk for various incidents. An effective incident response Plan addresses short-term mitigation and containment in addition to long-term recovery and remediation. The short- and long-term strategies should serve as a roadmap during a security incident. 

What should happen post-response?

After attending to an incident, the CIRT should submit a report to the cybersecurity committee, which summarizes the incident, provides metrics to measure impact and response, and offers long-term recovery recommendations.

Organizations should regularly test their incident response capabilities with tabletop exercises and simulations. Incident response capability testing should occur after incidents and when organizations change their processes or environments. 

The plan must stipulate systematic review processes and incorporate lessons learned during a test or incident. The cybersecurity committee must approve any updates to the incident response plan, and relevant stakeholders must be aware of changes.

Organizations should provide their CIRT with regular training, in addition to specialized training for new technologies and other significant organizational changes. Everyone using an organization’s information systems should receive incident reporting training.

Steps for Creating an Incident Response Policy

A properly formulated incident response policy is essential for ensuring effective response. Organizations can use the following steps to create a clear, comprehensive policy: 

Evaluating the Existing Situation

Organizations must first evaluate their assets and resources and determine which ones require protection. This evaluation should consider the vulnerability level of each asset and the appropriate mitigation and remediation methods. It involves taking inventory of all company assets and prioritizing them based on value, privacy requirements, and risk level. 

Organizations should evaluate their existing security measures, clarify who is responsible for implementing the response, and identify gaps to address in the incident response plan. 

Establishing the Incident Response Team

The evaluation should identify the expertise required to address security risks. Organizations can leverage existing personnel or hire new staff with the required skills to enforce the incident response policy. In some cases, organizations might outsource response tasks.

The incident response team is responsible for determining the procedures for responding to an incident, implementing these procedures, and evaluating their effectiveness in the aftermath of an incident. The team initiates the incident response process and conducts periodic audits. Everyone in the team must understand their responsibilities and adapt to policy changes. 

Creating the Incident Response Plan

Before creating the IRP, it is often necessary to take preventative measures to ensure the plan’s stipulations match an organization’s existing capabilities and tooling. The best plans reduce the chance of an incident occurring in the first place, with response measures as the last line of defense. 

The plan should define the criteria for identifying incidents, which the organization can incorporate as rules in their security monitoring and management tools. It should also include explicit guidelines for determining incident priority based on potential impact.

An IRP should contain these elements:

  • Prevention━establishing preventative security tools and policies.
  • Detection━determining how systems and tools can detect incidents and notify the relevant team members.
  • Analysis━locating data logs and determining the scope of analysis required before implementing the response.
  • Neutralization━containing and eradicating threats.
  • Recovery━measuring the damage and restoring systems and data in the specified order.
  • Evaluation━measuring the effectiveness of the response for future improvement.

The plan must clearly define the actions and responsible team members to ensure everyone is prepared to act immediately to respond to an incident. The plan should be published and easily accessible with multiple digital and physical copies. Incident response drills can also help teams prepare for real incidents, ensuring they perform better.

Report

Unintended Consequences of Ransomware