An Incident Response Plan is used when there is a cyber attack on a company or corporation. This is typically used right after the discovery of the attack so that the company can get back to normal operations as quickly as possible. Here are 6 steps to an effective incident response plan.
1. Assemble your team
The first step when assembling your Incident Response team is to appoint a team leader who will handle all communication and decision making with management. This way decisions can be made quickly and efficiently. This team should consist of security professionals, communication, and legal staff to properly plan an internal response and a response to the public. Most breaches will require public notification, which is why the legal and communication staff is important.
2. Detect and Ascertain the source
This team should go through internal systems to locate the cause of the breach, and where the breach came from. The team can do this by auditing their systems for suspicious activity or by using anti-malware software to find malware.
3. Contain and Recover
Once the breach cause of the breach is located, it needs to be contained so it can’t spread any further. This can involve different steps based on what was used in the attack. It can involve shutting down network access for computers infected with malware or disabling the accounts of insiders to prevent further access. Then, the company needs to recover from this attack. Affected systems should be backed up for forensic examination later. Then the team needs to use back-up files to get the affected systems back to normal.
4. Assess the damage and severity
This next step is to assess how bad the attack was once it is patched up and fixed. This is the time to look at the cause of the event and to figure out how it happened. It is important to determine what prevention mechanisms worked or failed. When it comes to determining the severity of the attack, it is always better to consider the event more severe.
5. Begin notification process
Once the damage is accessed, the IR team must begin notifying customers, and any applicable government agencies in accordance with law. It is important to notify customers as soon as possible so that they can be aware of any attempts of identity theft. It also lets them know to change their password to any accounts as soon as possible.
6. Start to prevent the same style of attack in the future.
This last step is preventing the same style of attack in the future. Now that someone has gotten into your system, it is important that they can’t get back in the same way. It would look bad if your company kept getting breached the same way because they didn’t learn from their mistakes. This is also an opportunity to look at security as a whole, and to find other potential vulnerabilities and preemptively fix them.
There is one thing I would change with this process. I would add after step two to notify customers about the breach. This is so that they know to change passwords and to make them aware of the breach. This also allows them to take steps to protect themselves from this breach as much as possible. I would then keep the notification at step 5 with more information later on. I believe it is always important to keep customers informed on what is going on. It will let them know that you care about keeping their data secure and that you are taking this very seriously. It also allows you to get out ahead of the backlash from customers by notifying them immediately.
I got these steps from here.