Incident Response Management: What Is It and How to Implement It

An Incident Response Program is an aggregate of processes designed to minimize the impact of security incidents. The program is like a fire extinguisher case on the wall in a high school chemistry lab. It contains all of the components, including detailed instructions, for how to contain a fire before it burns the whole building down. You can, technically, get by without the fire extinguisher; the bucket brigade is always an option. This is especially true if you’re not concerned with anything resembling professional dignity. An effective incident response program saves time and money when security incidents happen – so lets talk about how to build one. 

Like any great concept an incident response program consists of four key elements (Beatles, four leaf clovers, Kit-Kat bars – there’s a whole other article here). Let’s start by examining these elements. An incident response program includes a policy, a plan, specific response procedures, and a team. In practice these elements can be merged, realigned, or repurposed to meet the needs of your organization and so long as the element exists functionally within the organization’s process it should not materially impact the effectiveness of your program. 

The Policy

The incident response policy provides an outline of the incident response objectives and scope for the organization, including a formal definition of how the organization defines a security incident. Additionally, the policy defines the roles and responsibilities of the incident response team members and lays out regular training and testing activities.

The Plan

The high level steps of the incident response process are documented in the incident response plan. In general the plan steps define the processes for preparing, identifying, containing, eradicating, recovering, and learning from incidents. Again, the key is not to make sure that your plan includes all of these steps, but rather for your plan to appropriately match how your organization ideally responds to security incidents. 

The Procedures

Most people prefer to have an organized set of step-by-step instructions in the case of an emergency. In order to insert anything resembling order into an incident response situation we need procedures to provide the step-by-step instructions. The key to maintaining your sanity is to acknowledge that the procedures won’t always be perfect and incidents will not always present themselves the same way twice. However, the process of developing and repurposing these procedures will save both time and money in the long run. Procedures should be both dynamic and utilitarian. Focus on tangible steps or clear flow charts to ensure that the procedure becomes a usable asset and not a point of contention during incident response activities. As part of the lessons learned ensure to highlight reusable portions of the procedures used that can be applied to other situations. 

The Team

If we begin to think about incident response as a contest, with winners and losers, then we can easily understand the importance of the incident response team within the program itself. Incident Response Teams should be properly prepared and trained with respect to the response plan, associated procedures, and critical technical facets of the environment. Any technical or functional limitations of the team should be identified as part of the preparation and training process. It is okay for the team to have limitations; the key is to acknowledge them and to address them. Limitations or knowledge gaps may be addressed by providing additional training or by identifying additional internal or external subject matter experts that can be leaned on in during response efforts. 

The most efficient incident response teams include representation of each functional domain of the organization. It is important to understand that all team members may not be intimately involved in each incident response effort. For instance, it is a common practice to include a member of human resources as part of the incident response team. The human resources role is typically to provide guidance during incidents where there is an impact to employees. If an incident occurs that has no impact to employees then human resources would play a reduced role in the response. 

An effective incident response plan is not built through a one shot deployment of the elements in the program. Rather it is an iterative exercise that requires continuous modification and improvement efforts. Over time each of the elements of the program will mature as the organization moves from a reactive posture in response to security incidents to a proactive posture that is well tuned to adapt to unique and challenging incidents. Contact us for more information on developing incident response programs!