Cyber Incident Response - The 5 Important Steps

This article gives a 5 principal steps and questions one must solicit the emergency from the cyber security incident response steps. This includes the incident, the control points, plan of action, communication, business impacts.


( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )

Step 1 - Is there really an incident?

Incidents rarely emerge fully formed. Rather they start as a set of indicators, often described as an event, that through investigation may turn into an incident that requires follow up, or not. The response plan should include a policy that sets the parameters, severity, and standards for when and how an incident is declared. This will define the criteria for a major and minor incident type and set the required procedures to be followed after each type of incident. Be sure to include any third party or vendor incident response procedures if they are likely to be involved.

Step 2 - Who's in charge?

When an event is escalated to an incident it is important to understand who is in charge; roles, responsibilities, and authority are for all members of the response team should be defined in advance. Policy-granting authority needed to fulfill the roles of team members must be clearly communicated across the organization.

Despite all the time and effort we put in to protecting our environment, in the face of attack we are judged purely on how efficiently and effectively we respond to it

Step 3 - Plan of Action

The response team needs to go over what happened in order to understand what should have been done better by means of simulations such as:  • Drills  • Desktop exercises  • Functional exercises  • Full-scale exercises 

All of these exercise scenarios are designed to stimulate technical, operational, communication, and/or strategic responses to cyber incidents with a view to reviewing and refining current capabilities.

Each exercise consists of determining what improvements could be made in:  1. Preparation  2. Detection and analysis  3. Containment and eradication of threats  4. Post-incident activity  5. Recovery process and getting back to business

Article 31 of the incoming General Data Protection Regulations requires us to notify the appropriate authority of a data breach within 72 hours on learning about the exposure 

Step 4 - Communication!

In some ways, an incident response plan is only as good as its communication network. During critical incidences, time is of the essence and communication networks tend to be the first resource to break down for a number of reasons.

( Read More: Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA) )

Step 5 - How does this Impact business?

There have been a number of high profile data breaches in the past few years, which have impacted millions of people. The growing threat of identity theft makes customers especially sensitive to any of their data being at risk. As a result, companies need to understand exactly what is at risk in each type of incident and how that could have a negative impact on the business. 

Post Author : Aaron Fox,Information security: Enterprise account manager, HANDD business solutions

This post was initially posted here & has been reproduced with permission.


E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)