gloved fingers typing on keyboard

Six Steps to Building a Successful Incident Response Plan


Security incidents cost enterprises around the world billions of dollars, and the total annual cost is disproportionately borne by companies based in the United States. As companies of all sizes can fall victim to data breaches, it is important that they be able to act quickly and restore normal operations in the immediate aftermath of such an incident. Action can be taken more effectively if an incident response plan is in place.

What is an Incident Response Plan (IRP)?

Enterprises can have incident response plans for a wide variety of crises. For example, it may be necessary to implement a response plan if a serious weather event threatens a network operations center. This would be considered part of continuity planning – a plan to restore and maintain delivery of crucial services in the event of the unforeseen circumstance. Another type of incident response plan manages the loss or departure of key personnel; this is called succession planning.

When it comes to cybersecurity, however, an incident response plan refers specifically to how a business protects its assets, limits the scope of damage, determines root causes, and applies lessons learned in the immediate aftermath of a data breach. Whether the threat actor is a hacker or a piece of malicious software, it’s crucial that security experts be prepared to act quickly. The faster a response plan is activated, the more limited the business repercussions may be. Building a successful IRP includes the following steps:

Step One: Select an Enterprise Sponsor and Develop Risk Assessments

A good incident response plan begins to develop many months before it is actually put to use. Before such a large, strategic plan can be put in place, it’s crucial that someone be selected to oversee the process and report to the company executives or board. This typically requires an executive spokesperson, such as the Chief Information Officer or Chief Technology Officer. Though that person may choose to delegate many specific tasks in the IRP, it is vital that they remain aware of progress and champion the value of having an IRP to other top-level stakeholders.

Once leadership has been selected at the strategic and tactical levels, a team of appropriate experts should develop risk assessments. Some security organizations have a risk officer who may be able to accelerate the process. Risk assessment begins with identifying the sensitive data that the enterprise controls, where it is stored, how it is protected, and its value. Once crucial assets have been cataloged, potential threats to each asset can also be understood. The evaluation should also include risk factors brought on by equipment value or absence of key personnel.

Step Two: Develop “Quick Response” Procedures for Key Threats

Once the most likely threats have been identified, the IT team should be prepared to work cross-functionally to identify best practices in the event those threats materialize. Each member of the IT team must understand when to act and what to do – including any configuration changes, escalation, or external communications and when they need to be executed. Ideally, this should empower the team to react quickly to a threat and limit the time in which it is active.

Not all threats can be managed at the tactical level. Feedback mechanisms should be in place so more senior personnel can make strategic decisions based on an unfolding threat. This might include, for example, decisions about isolating areas of the network that may be under attack or suspending network services to limit an attack’s scope or duration. Such decisions should also be accompanied by a communication plan so external stakeholders who rely on network resources can take whatever steps are necessary to limit damage in their divisions.

Step Three: Maintain Effective Relationships and Service Level Agreements (SLAs)

In many circumstances, it will be necessary to activate resources throughout the community after an immediate network threat has passed. A data breach may even be considered a federal crime depending on its type, scale, duration, and the assets impacted. Therefore, senior team members should understand when it is necessary to get in touch with law enforcement at various levels. Enterprises in compliance-focused industries may have a number of regulatory bodies or client companies that must also be contacted in the event of a breach.

Large enterprises may have access to a wide range of external consultants that provide breach remediation. It’s important to have clear, comprehensive SLAs in place with these organizations well before they are necessary. The legal team should be involved with SLAs to ensure ironclad agreements are in place so external partners work to high standards.

Step Four: Document and Clarify All Emergency Response Standards

Even the best plan will be ineffective if nobody knows the details. During a serious incident, every minute counts and everyone needs to be able to work together effectively. Although documentation is only the first step in producing the teamwork needed, it is a fundamental one. All emergency response processes and protocols should be centralized into a comprehensive resource, with specific requirements broken out according to seniority and functional area. Since a security incident can make a standard knowledge base hard to access, consider printing handbooks that can be updated periodically.

Step Five: Align Training with Emergency Response Standards

As soon as IRP protocols have been defined, it’s important that all team members understand their responsibilities. Company-wide training and development should also include plans to refresh teams about the IRP as the standards evolve. Although IT and related functional areas will naturally bear the most responsibility in a crisis, many devastating network issues can be avoided if everyone in the organization is apprised about basic information security matters, such as phishing emails. Phishing emails are when hackers impersonate reputable organizations and demand sensitive information. They are responsible for hundreds of millions in damages annually and are typically sent to non-technical stakeholders.

Step Six: Run Simulations to Accelerate Real-World Crisis Response

Documentation and training [more professionals infographic] are essential, but the competencies they represent must be activated under real-world conditions to remain sharp. Many leading enterprises use simulated war games to test the effectiveness of their incident response plan and the accuracy of each team’s adherence to it under duress. Although these activities can be somewhat disruptive, they are crucial for refining crisis response processes to ensure they take into account unusual and unexpected factors that might arise. Naturally, such simulations should be planned well in advance, with key stakeholders being aware of the timeframe. To maximize impact on future performance, systems should be in place to capture operational data and construct a clear picture of what went right and wrong during the simulation.

Learn More

As the nation’s oldest private military college, Norwich University has been a leader in innovative education since 1819. Through its online programs, Norwich delivers relevant and applicable curricula that allow its students to make a positive impact on their places of work and their communities.

At Norwich University, we extend a tradition of values-based education, where structured, disciplined, and rigorous studies create a challenging and rewarding experience. Online programs, such as the Master of Science in Cybersecurity, have made our comprehensive curriculum available to more students than ever before.

Norwich University has been designated as a Center for Academic Excellence in Cyber Defense Education by the National Security Agency and Department of Homeland Security. Through your program, you can choose from the five concentrations that are uniquely designed to provide an in-depth examination of policies, procedures, and overall structure of an information assurance program.

Recommended Reading

Critical Infrastructure Sectors Protection Practices
Career Outlook: Computer Network Architect
5 Steps for Conducting Computer Forensics Investigations


Ten Steps to Planning an Effective Cyber-Incident Response, Harvard Business Review
Incident Handler's Handbook, SANS Institute
How good is your cyberincident-response plan?, McKinsey Insights
Playing war games to prepare for a cyberattack, McKinsey Insights
Incident Response Planning Guideline, University of California, Berkeley

Learn More Today

Complete the form on the next page to request more information about our online programs.

Request Info