How to Create a Cybersecurity Incident Response Plan

Editor’s note: With the increased prevalence of ransomware and other cyberattacks, now is the time to take a moment to review your cyber response plan and examine the security of your key information security systems. Hyperproof has updated this popular article with fresh information to help cybersecurity professionals respond effectively to security incidents.  

Cybersecurity incidents are a fact of life for businesses now; in 2023 the United States alone suffered at least 3,200 data breaches, up from 1,800 in 2022. The total number of people affected was more than 350 million — and all of these statistics are just for the breaches we know about. 

Hackers today deploy a wide range of sophisticated technology and ever-changing tactics to steal valuable information from businesses. Businesses are struggling to fend off cyber threats, so much so that even organizations with strong security measures in place have experienced data breaches. 

Organizations need a better approach. They need a plan.

What is a cybersecurity incident response plan?

A Cybersecurity Incident Response Plan is a document that gives IT and cybersecurity professionals instructions on how to respond to a serious security incident, such as a data breach, data leak, ransomware attack, or loss of sensitive information. According to the National Institute of Standards and Technology (NIST), there are four phases to most effective incident response plans: Preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.

Why every business needs a cybersecurity incident response plan 

Most businesses need a cybersecurity incident response plan (CSIRP) because they are subject to some regulatory obligation that requires them to have such a plan. Every business needs such a plan because having one is just good business sense. 

For example, if your organization suffers a breach and you have no response plan, your security and management teams will scramble to understand and respond. They’ll be more likely to make expensive mistakes. They’ll need more time to respond to the breach, which potentially might give the attackers more time to do more damage. All that, in turn, will alienate employees and business partners who will wonder (quite reasonably) whether your management team knows what it’s doing.

Just as important, a thorough CSIRP guides you through your regulatory responsibilities after a breach. You might need to notify regulatory agencies of your breach within certain periods (72 hours, under the EU General Data Protection Regulation), or disclose certain details to the public (as required under rules from the Securities and Exchange Commission). Failing to meet those breach notification requirements could — and routinely does — lead to monetary penalties from regulators. 

Not having recorded evidence of a CSIRP will signal to auditors that you aren’t taking the prospect of a data breach seriously.

Moreover, some data privacy regulations such as the California Consumer Protection Act (CCPA) require an incident response plan. If you don’t have a CSIRP in place, you will be in violation of the CCPA. 

Other industry-led security frameworks also require organizations to have a CSIRP in place. For example, if you were pursuing ISO 27001 certification and didn’t have a CSIRP in place, you wouldn’t pass the audit. Annex A of ISO 27001 has a specific requirement for an information security incident response plan. So, unless you can give your auditor a reason why your business doesn’t need a CISPR in place, you have to have one to obtain the ISO 27001 certification.

Ultimately, whatever size your business is, whatever industry you work in, and wherever you are in terms of growth, you need to have a cyber incident response plan in place to keep your business safe and to help your business effectively recover from a security incident.

Related: How to Build a Strong Information Security Policy

Tips on how to write a cybersecurity incident response plan

The National Institute of Standards and Technology (NIST) provides four phases of an incident response plan: Preparation, detection and analysis, containment, eradication, recovery, and post-incident activity. Recognizing that preparatory and post-incident activities are equally significant. In fact, NIST emphasizes both types of activities in their outline.  

1. Preparation

The key to an effective cybersecurity incident response plan (CSIRP) is to have one in place well before a breach occurs. The planning you do before a security incident occurs will help you respond to an incident as quickly and efficiently as possible. 

First, your plan needs to detail who is on the incident response team, their contact information, their role, and when team members need to be contacted. Each member of this group, from the CEO to the IT team members, needs to understand their place on the team and what they need to do in the event of a breach. They also need to recall the details within your CSIRP so that they can respond quickly when a security incident happens. NIST’s official Computer Security Incident Handling Guide gives you a comprehensive view of everything you need to determine before an incident happens. You might be surprised at how detailed the list is, but when a security incident is in progress, your team needs to be able to work as quickly as possible, and having to make a lot of decisions about how to handle a breach will slow them down. You also need to make sure you work productively and prevent choices that help hackers continue to exploit and infiltrate your systems. Pre-determining all of this information, along with regularly testing your CSIRP and doing drills with your team, will give you the best chance of shutting down an attack quickly and without further issues.

Incident prevention is the second part of the preparation phase. Hopefully, this isn’t news to you because you’ve already developed an information security policy to protect the sensitive information your business is being trusted with. However, the NIST still provides some recommendations for avoiding incidents, like regular risk assessments, host security, malware prevention, and more.

All information in your CSIRP should be kept in one place that is accessible to everyone on the incident response team, and it should be regularly updated as employees are added to and removed from the response team and as your business changes.

2. Detection and analysis

The detection and analysis phase in your CSIRP is triggered when an incident has just occurred and your organization needs to determine how to respond to it. 

Security incidents can originate from many different sources and it’s not practical, or even possible, to create a plan to respond to every type of security incident possible. NIST provides a list of some of the more common methods of attack that you can use as a starting point as you determine what steps to take in a security event. You should also consider what vulnerabilities your company has and how likely an attack on one of those vulnerabilities is and include those in your planning.

Additional resource: Understand the key steps of an IT security risk assessment. 

Security incidents can be detected in a few different ways. Signs of an incident are either precursors (detected before an event happens) or indicators (detected during or after an attack).

For example, you might notice a high number of failed login attempts and determine a hacker is attempting to guess a working username and password to penetrate your network (a precursor to a security incident). Or maybe your antivirus software alerts you when one of your employees has clicked on a malware link and it has infected their computer (an indicator that there is a security event already in progress). Ideally, you would be able to detect every attack before it happens, but that isn’t always possible. Planning your response ahead of time is the next best thing. 

Once you’ve determined that an incident is taking place, NIST has laid out a few ways to analyze and validate the incident to ensure you’re triggering the correct incident response. Your CSIRP should give directions for documenting the incident, however big or small, and prioritizing the response to the incident. Using the two examples above, your response to someone trying to log in to a network would be different from an infected computer, and if both were happening simultaneously, you would need to prioritize one over the other.

The final step in this phase is notification. Depending on what kind of information was affected, you may also need to notify certain parties such as law enforcement, the FTC, your customers, affected businesses, and others. You need to work with your legal and compliance teams to ensure you understand who needs to be notified and have a plan for notifying. If you don’t take the time to include this in your CSIRP, you risk running afoul of the state, federal, or international laws and creating additional issues for your business. CCPA and GDPR both require breach reporting, so you and your compliance team will have to help each other out there. Having an open communication channel with your compliance team is invaluable in many ways, especially when dealing with an incident.

3. Containment, eradication, and recovery

This phase is the heart of your CSIRP. Everything you do in response to an attack will revolve around containing the incident, eradicating the threat, and recovering from the attack. 

The NIST has provided a list of criteria you should consider when deciding on a containment strategy:

• Potential damage to and theft of resources 
• Need for evidence preservation 
• Service availability (e.g., network connectivity, services provided to external parties) 
• Time and resources needed to implement the strategy 
• Effectiveness of the strategy (e.g., partial containment, full containment) 
• Duration of the solution (e.g., an emergency workaround to be removed in four hours, a temporary workaround to be removed in two weeks, permanent solution).

While working through this phase, you should also gather as much evidence as possible about the attack and preserve it for internal and external use. You can also work towards identifying the attacking host, which can be time-consuming and even impossible in some scenarios. Your priority should always be to contain the incident as much as possible.

Eradication will involve different steps depending on what type of incident you’re experiencing. Essentially you will be eliminating whatever you need to in order to stop the attack, whether that means deleting malware, disabling breached accounts, closing vulnerabilities in your network, etc. 

The Federal Trade Commission provides some steps you can take to secure your operations and eradicate the threat to your data security, including consulting with a data forensics team, securing any physical areas related to the breach, fixing information that’s been improperly posted to your website, talking to the people who discovered the breach, and more. When you’re trying to lock down your security during or after a data breach, you don’t want to wing it. This is the biggest benefit of having a documented CSIRP: you will have all your bases covered and be much less likely to leave a vulnerability open during a breach.

Once you have eradicated the breach, you can begin the recovery phase. This includes making changes and updates to your cybersecurity incident response plan, addressing the vulnerability that enabled the security incident, and doing any training on the processes or procedures that employees need to know to prevent a similar event from happening again if that was part of the issue.

Eradication and recovery can take days, weeks, or months, depending on the size of the breach. NIST advocates for a phased approach, with the early phases increasing your overall security as quickly as possible and later phases focused on long-term changes and ongoing work to keep your organization safe.

4. Post-incident activities

After the incident has been stopped, security updates have been made, and your organization is back on track, your organization should take some time to debrief from the incident. 

• Reflect on what has happened and talk about how you can identify similar incidents in the future and stop them sooner. 
• Assess the severity and damage. It can be difficult to grasp the severity of an incident and the extent of damage it caused. In general, you’ll need to look at the cause of the incident. In cases where there was a successful external attacker or malicious insider, consider the event as more severe and respond accordingly.
• Revisit your plan and ask yourself and your team if anything would have made the plan more effective. 
• Begin the notification process. A data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized person. Privacy laws such as the GDPR and the CCPA require public notification in the event of such a data breach. Notify affected parties so they can protect themselves from identity theft or other fallout from the disclosure of confidential personal or financial data.

NIST has also provided an in-depth list of questions, metrics, and recommendations for recovering from an incident that will help you guide your team in recovering from a security incident in a meaningful way and learning from it, and not just simply moving on with your work.

How often should you review your incident response plan?

You should review your security incident response plan at least annually to confirm that your business’ security measures are working as designed and are consistent with industry best practices and the pace of technology changes. Your incident response procedure needs to evolve when changes happen, including: 

• Complying with new applicable regulations, such as the GDPR
• Changes in data privacy and cybersecurity regulations by state, country, or industry
• Adoption new technologies 
• Changings in the structure of internal teams involved in security matters 
• New types of threats, such as a public health crisis cause organizations to adopt remote work
• A data breach at the company

As you conduct a review of your organization’s policies and procedures, always ask the following questions: 

• Are the procedures hard to follow? 
• Have you begun using new technologies or processes that have not yet been written into your response procedures?
• Does proper implementation of the policy and procedures require more employee training?

Cybersecurity incident response plan checklist

Before we wrap up, we wanted to leave you with a CSIRP checklist in seven steps:

1. Conduct an enterprise-wide risk assessment to identify the likelihood vs. severity of cyber risks in key areas. Make sure your risk assessment is current. 
2. Identify key team members and stakeholders. 
3. Define security incident types. Your plan should define what counts as an incident and who is in charge of activating that plan. 
4. Inventory resources and assets. 
5. Outline the sequence of information flow. Take a look at your assets. What are the steps that need to happen to kick off different processes?
6. Prepare a variety of public statements. Make sure you’ve got the appropriate data breach notification letters ready to go in advance to minimize reputational damage from security incidents. 

Prepare an incident event log. Keep track of all steps taken during and after a cybersecurity incident so that you could gauge the efficacy of your response and glean lessons. This account will also support your legal team and law enforcement both during and after threat detection.

Additional resource: Internal Controls and Data Security: How to Develop Controls That Meet Your Needs

Enhance your cybersecurity posture with an effective incident response plan

As cyberattacks become more sophisticated and frequent, it’s imperative for organizations to have a strategy in place that allows them to respond swiftly and effectively, thereby minimizing potential damage to their clients, operations, and brand reputation. Establishing a comprehensive plan is not only a testament to an organization’s commitment to maintaining a secure digital environment but also ensures adherence to regulatory standards, safeguarding sensitive data from potential breaches.

Utilizing tools like Hyperproof can significantly enhance the efficiency and effectiveness of creating, managing, and executing a cybersecurity incident response plan. With features designed to streamline compliance operations and manage crucial documentation, such as your incident response plan, information security policies, and necessary evidence files, Hyperproof positions organizations to respond with agility and confidence during an incident. Beyond just preparation, Hyperproof facilitates the rapid implementation of critical security and privacy frameworks, including SOC 2, ISO 27001, GDPR, reducing the administrative burden associated with compliance audits. 

Taking proactive steps to secure your organization’s digital presence through Hyperproof not only prepares you to better manage the challenges of a security incident but also equips you to emerge more resilient.

Request your demo of Hyperproof today and enhance your capabilities to protect against the dire consequences of data breaches and cyber threats.