Cybersecurity Response Plan

 

Companies use a Cybersecurity Response Plan to define and implement an operational framework that can detect, contain, investigate and report on cyber security incidents. 

The related Incident Response Plan identifies the company-wide incident management team. It also defines their roles, responsibilities and communication process for coordinated cybersecurity incident management.

Here is a brief overview of how to build a Cybersecurity Response Plan and what it should include.

Building the plan is done in three phases:

  • Discovery

  • Evaluation & Strategy

  • Implementation & Testing

In Discovery, you’ll need to gather:

  • Operational overview of the business

  • Key business technologies and data

  • Existing security measures

  • Operational policies, infrastructure documentation, organizational data

In the Evaluation & Strategy stage, you need to evaluate all the gathered data and use this to:

  • Identify risk levels

  • Build a response matrix

  • Identify key security team responsibilities

  • Create an incident response flow chart, including post-incident plan

The Implementation & Testing phase involves the whole organization, where they:

  • Approve Cybersecurity Response Plan

  • Distribute and train the organization

  • Review & Test the plan in controlled manner and conduct post-test evaluation

  • Schedule test & review of the plan

The Cybersecurity Response Plan should contain the following sections:

  • Detection & Initial Response

  • Containment

  • Remediation

  • Resolution

Detection & Initial Response is where the training of the whole organization provides the highest value. Employees should be able to recognize that ‘something is wrong’ and know whom to contact. Once an event (not-incident yet) is identified, the technical team should be able to validate and either identify the event as a non-incident or activate the response team to start Containment.

Containment. The team has to assess the damage, isolate the underlying issues, protect the organization’s systems from unauthorized access and initiate communication with all required parties (both internal and external).

Remediation. After containment, the next step is to repair any damage which has been done, restore all operation to normal state and assess the overall impact of the incident.

Resolution. At this stage, the organization can review the incident, provide lessons learned and use those lessons to adjust the Cybersecurity Response Plan.