The incident response plan you never knew you had

Five strategies to give your incident response plan a headstart by using key components of the business existing continuity plan (BCP).

Computer incidents today are a far cry from those of the past. Computer incidents involving data breaches today can take down businesses and leadership, in much the same way or greater than an earthquake or fire can destroy a company through a physical business outage. Data breaches such as that at Target have shown that having the ability to recognize an incident quickly and escalate up to appropriate leadership is a critical business competency.

Instead of reinventing the wheel why not leverage the existing business continuity plan (BCP) to build the computer incident response plan (CIRP)? The business continuity plan in all likelihood is in place and may have some measure of review and exercise already. By leveraging important elements of the existing BCP and resources, the security team can jump start the CIRP and obtain a faster and more responsive organization.

[ ALSO ON CSO: Business continuity and disaster recovery planning: The basics ]

Here are five strategies to give you a head start in putting together your incident response plan by using built-in and existing components of the BCP.

1.      Use the existing business recovery structure and organization

The existing BCP usually has a well laid out management and reporting structure that is to be activated during an outage. Rather than create a separate reporting and management structure for the CIRP, try and use the existing BCP structure where possible. In smaller to midsize organizations where leadership wears many hats it is quite possible that you will find 75 percent or greater overlap between the management response team for the CIRP and that of the BCP.

The leadership team that is usually pulled in for a business continuity incident will most likely consist of the same senior management that would be required to weigh in on a computer-related incident. I would combine the leadership team from both plans into a single leadership team that is common to both the business continuity and computer incident response plans. For example, in the event of a computer incident, the internal audit team will need to be in the loop but in a business continuity incident that may not be the case. On the other hand in a business continuity incident, the physical security team will definitely need to be in the loop but not necessarily on the audit team. However a common leadership team can include leaders from both the audit and physical security teams, who can be brought in as needed for the incident response.

2.      Combine roles and responsibilities

The business recovery coordinator is the central figure around who rotates the response to a business outage. The incident response manager plays a similar role in the CIRP plan. In addition and oftentimes, the business continuity manager will be reporting into the information security team. Instead of having a separate coordinator for business continuity and another coordinator/manager for computer incident response, consider using the same role and business continuity person for both.

3.      Reuse processes

The methods for triggering the response and the communication to the leadership team will also have much in common with each other. For example the role and process of the incident response manager, to triage and determine initial incident severity and escalate, can be similar in both the BCP and the CIRP.

4.      Common contact information

The BCP usually has well defined call trees and organization hierarchies with contact information already identified. In many case this information is kept up-to-date. Leverage this information and reference this BCP contact information in the CIRP, rather than trying to maintain a separate and parallel system

5.      Combining exercises

The BCP program usually has an annual exercise wherein either a table top simulation or an actual exercise is attempted. The usual scenarios are fire, power outages, earthquakes etc. Consider combining the annual BCP exercise with a CIRP exercise. This exercise can use a data breach related incident or a crypto-locker takedown as the exercise scenario. Using a computer-related incident sheds light to upper management on the importance of the computer related outage or breach and builds awareness that the scale of a computer-related incident can rival and surpass that of the traditional physical security outages.

The extent of the overlap between the business continuity plan and the computer incident response plan can vary widely. For some organizations it may be good business sense to combine the two entirely and have a single incident response plan. For others depending on regulatory environments, it might be better to still keep the two plans separate but combine elements where possible.

[ ALSO ON CSO: 10 tips to make sure you are ready when a disaster strikes ]

At the end of the day, the business continuity plan and the computer incident response plan both require that a manager be defined, a process for leadership decision making and communication be established and appropriate teams and resources be brought in for remediation and recovery. The onus in both cases is on speed of decision making and fast response. Having a single team that is trained and aware of their roles is far more efficient than multiple teams and documents which require additional overhead.

Join the CSO newsletter!

Error: Please check your email address.

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George Viegas

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place