Building an Effective Incident Response Plan

Written by

When it comes to incident response and a company’s ability to manage a data breach, no organization can afford to be caught off guard. The effects of an uncontrolled and poorly managed data breach can be catastrophic to businesses of all sizes, not to mention the public relations nightmare and subsequent liability that can ensue when an organization drops the ball in the wake of a cyber-attack.

So the best way to prepare for a data breach is to have an effective, company-sanctioned incident response plan in place. An incident response plan will most often fail because of the following reasons:

  1. Reality versus plan - it does not accurately or realistically address how the organization handles security incidents in real-time.
  2. Lack of regular testing procedures – Every incident response plan needs to have the right tests and table top exercise plan in place so that the effectiveness can be evaluated.
  3. Lack of clear communication and process protocols in the incident response plan – If the plan does not have accurate information on who to contact and what to do, it will not be effective in the hour of need.

Finally, if a plan falls short of considering the totality of the circumstances surrounding an actual incident, threats may linger and cause further damage after an organization has remediated and feels in the clear.

The 5 W’s of a comprehensive incident response plan’s fundamental elements are:

  • Who: An established framework of key personnel responsible for investigating and responding to an incident.
  • When: At what point during a suspected incident are key personnel alerted to the potential breach, and when is the matter escalated to the appropriate parties?
  • What: Clearly delineate the approved resources available to team members both inside and outside the organization.
  • Where: Implement an evidentiary data collection system to record details of the incident process, where the incident occurred, and what parts of the organization have been affected.
  • Why: Learn from past events. Take the information log described above and use it to analyze and prepare for future attacks; have a process in place to understand where the organization’s vulnerabilities are and why an attacker targeted specific resources.

Top 10 Steps to an effective incident response plan

Coming up with a company-wide incident response plan doesn’t mean an organization is preparing for or expecting its IT team to fail – it means the organization is being realistic in a climate where data breaches are not a matter of “if,” but “when.” Organizations are encouraged to follow these Top 10 steps in drafting an effective security incident response plan.

  1. Form a dedicated incident response team. Assign a specific group to lead response efforts and keep key company officials abreast of any situations. Be sure that the team represents organization-wide interests and responsibilities.
  2. Have clear guidelines for internal incident communications. Direct employees in properly escalating incidents based on specific protocols and timelines.
  3. Establish an incident journal where the IR team can monitor and record evidence and information regarding the incident events.
  4. Establish and enable effective communication channels within the IR teams during the breach as time is of essence during response.
  5. Consider liability and how and when to incorporate the legal team while and incident unfolds.
  6. Establish clear communication protocols for public relations and keep customers informed as to whether they have been affected.
  7. Disseminate all pertinent internal contact information so that company employees know who to call and where to direct their concerns.
  8. If the company outsources its IT, compile a list of appropriate, preapproved contacts that employees can turn to in an emergency.
  9. Conduct table top exercises (simulations) in realistic scenarios to fully understand how different elements of the plan will play out, and how effective they will be. If needed the plan should be updated with findings.
  10. Conduct regular employee training and information sessions to keep your team on the same page regarding company policies. Regular company briefings help keep key personnel abreast of any new or evolving security threats that they are required handle according to the company incident response plan.


While no organization can predict every potential attack that may come its way, a thoroughly prepared organization will suffer much less fallout when a comprehensive incident response plan is adopted and in place.

Putting all these pieces together before an incident occurs will help keep and organization up-and-running during attacks, before they lead to data disasters and public relations nightmare.

What’s hot on Infosecurity Magazine?