Incident Response - Policy and Planning

An incident response policy and an incident response plan are critical components of an organisation’s cyber security framework, whilst they serve distinct purposes they are interlinked.

The incident response policy is a high-level document that outlines the organisation’s approach to handling cyber security incidents. It establishes the guiding principles, objectives, and overall framework for incident response.

The incident response policy should include:

Scope and Purpose: Defining the types of incidents covered and the rationale for having an incident response strategy.

Roles and Responsibilities: Specifying the roles of team members, including management, IT staff, and external partners.

Governance and Compliance: Ensuring that the incident response aligns with regulatory requirements and industry standards.

Objectives: Communicating the goals of incident response, such as minimising impact, protecting assets, and ensuring business continuity.

Commitment to Improvement: Emphasises the importance of learning from incidents to improve future responses.

The incident response plan is a detailed, tactical document that provides specific procedures for responding to information security incidents. It operationalises the policy by outlining step-by-step actions to take when an incident occurs. These incidents can vary from data breaches and malware attacks to system outages and general endpoint security issues.

The incident response plan should include these key elements:

Identification: Procedures for detecting and confirming incidents.

Containment: Strategies to limit the damage and prevent further impact.

Eradication: Steps to eliminate the cause of the incident.

Recovery: Guidelines for restoring affected systems and services.

Post-Incident Analysis: Processes for reviewing the incident and refining response strategies.

A well-structured incident response plan enables organisations to react promptly and efficiently, minimising the impact of such incidents and preventing further harm through effective incident remediation. It goes beyond quick fixes, emphasising strategic and informed actions that safeguard company operations, financial health, and reputation.

Linkages between policy and plan

The incident response policy serves as the foundation for the incident response plan. The policy sets the tone and direction for how incidents will be handled, while the plan provides the actionable steps necessary to execute that vision. The objectives outlined in the policy guide the development of the plan, ensuring that specific actions align with the organisation’s overall incident response strategy.

Roles and responsibilities are defined in the policy at a strategic level, whilst the plan elaborates on these roles in practical terms. For example, the policy might assign a team leader, while the plan specifies what that leader is responsible for during an incident.

An incident response policy ensures that the incident response plan adheres to legal, regulatory, and industry standards. It acts as a reminder that all response actions must comply with these external requirements, fostering accountability and due diligence.

Both policy and plan documents should emphasise the importance of learning from past incidents. The policy encourages a culture of improvement, whilst the plan includes specific post-incident review processes to analyse response effectiveness and implement lessons learned.

The policy should also outline the importance of training and awareness, which is essential for the successful execution of the plan. A well-informed team is better equipped to effectively follow the procedures laid out in the plan.

Is your organisation well enough prepared to deal with an incident?

An increasing number of organisations have taken steps to try and improve their ability to deal with a cyber security incident. However, many organisations have not properly evaluated their effectiveness or capabilities. Having a documented policy and plan is great, but it’s not enough.

Conducting scenario testing ensures that the designated roles and responsibilities of your incident response team are appropriate and well-defined, plus team members can better understand and internalise the necessary actions they need to take during a security breach. Testing and practice will help build the confidence of team members, enabling them to handle high-pressure situations more competently when they arise and can provide real-world experience on how to effectively manage triage and escalation processes.

In summary, whilst the incident response policy provides the overarching principles and goals for handling incidents, the incident response plan translates those principles into concrete actions and procedures. Together, they form a cohesive strategy that enhances an organisation’s ability to effectively manage cyber security incidents.

Policy Management as a Service delivers Incident Response policy and procedural content that can be tailored to your environment.

Click here to view the video - Policy Management as a Service Indepth, or view the FAQ Infographic - Policy Management as a Service - FAQs About The Service.