Speedily minimizing the negative impact of an information security incident is a fundamental element of information security management. The risks — loss of credibility in the eyes of users and other stakeholders, loss of business revenue and critical data, potential regulatory penalties — can significantly jeopardize your organization’s mission and objectives.
For example, in October 2023, the British Library faced a ransomware attack that resulted in the breach of customer and employee personal data. The attack also crippled its digital services, some of which are yet to be restored as of this article’s publication. Estimates are that it will cost upward of 7 to 8 million USD to recover, as the institution refused to pay a ransom to recover lost data.
When faced with a cybersecurity incident, preparedness can be the differentiator that delivers effective response and containment. For this reason, organizations need to invest in a robust incident response capability that:
An incident response plan provides the roadmap for building this capability. So, what is an incident response plan? It’s a document that spells out a systematic approach to handling cybersecurity incidents, such that a consistent methodology is followed.
How will you respond when this happens to you? (A sample of news articles about data breaches, Googled on 8 January 2024.)
In this article, we will look first at the what exactly goes into an incident response plan. Then, we’ll look at how to appropriately communicate this plan and — critically — how to maintain and update the plan over time.
(Related reading: incident management & incident severity levels 1-5.)
Splunk IT Service Intelligence (ITSI) is an AIOps, analytics and IT management solution that helps teams predict incidents before they impact customers.
Using AI and machine learning, ITSI correlates data collected from monitoring sources and delivers a single live view of relevant IT and business services, reducing alert noise and proactively preventing outages.
A security and privacy control, the incident response plan is responsible for:
As organizations differ in size and scope, the incident response plan should be customized to meet the unique requirements that cater for a particular context. A good example of a wide ranging plan is the U.S. National Cyber Incident Response Plan published by CISA that spells out roles across different government levels, capabilities and coordinating structures.
In general, the incident response plan consists of the following elements as per the NIST SP 800-61 Rev. 2 Computer Security Incident Handling Guide:
A short description of the organization’s purpose and intentions as relates to incident response.
A summary of the broad actions or course of action for achieving the incident response objectives. SMART goals are best suited that encompass all elements of the incident response plan including training, testing, communication and technical aspects such as automation initiatives.
Top management signs off that the plan has been reviewed, has the full buy-in, and will be appropriately resourced.
(Know your leadership roles: CISO, CIO, CPO and more.)
Here, you’ll need to define and outline:
This may be grouped based on different incident scenarios e.g., the response to a system outage may be treated differently when compared to a phishing attack.
An outline of how information will flow from the teams responding to the incident to relevant internal and external stakeholders. Relevant data classification controls would be spelled out that apply to information going to external parties such as media, suppliers, customers and government agencies.
Examples of metrics that would be related to incident response as defined by ITIL 4 practice include:
(Read more about incident response metrics.)
Actions and timelines for achieving the highest level of capability. A maturity model such as CMMC can be adopted that outlines the controls required at a particular level.
The responsibilities within the incident response plan are mapped to the organizational job titles and roles. The overall responsibility may be given to a team termed Incident Response Team (IRT) whose members are drawn from different functions including technology, legal, human resources, corporate communication among others.
(Meet these roles: The Incident Commander & The Computer Security Incident Response Team.)
According to NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations), for data breaches involving personally identifiable information (PII), the incident response plan can be enhanced with the following additional elements:
As always, the level of detail within the incident response plan will vary depending on the scope of the organization.
Informing stakeholders about the incident response plan is a critical activity in ensuring its acceptance and adoption.
Part of the incident response capabilities involves the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain.
However, this communication must be carefully controlled — ensuring that sensitive information is not passed to unauthorized parties. For example:
There are ways to avoid these issues. Within the incident response plan, designate appropriate communication responsibilities with relevant stakeholders. Here are some examples:
For any communication going out, multiple persons should review it first. Apply any designated information security controls such as data classification and data encryption.
(Related reading: third-party risk management.)
(See how Splunk solutions support the entire incident management practice.)
The NIST SP 800-61 Rev. 2 Guide advises that, once your plan is approved, you should implement the plan. Importantly, you should review it at least once a year, if not more often, to ensure your organization is following the roadmap for maturing the capability and fulfilling incident response goals.
Some of the actions to be taken so that the plan becomes a living document that remains relevant for the organization include the following as spelled out by CISA:
An incident response plan is only as good as the commitment from all stakeholders to turn it into reality. Without a plan, the chances of successfully dealing with a major IT outage are slim to none, and this introduces more risks especially with the costs of dealing with such outages becoming more expensive.
Any service delivery unit that wants to delight its customers and deliver value to its shareholders must commit to investing in a comprehensive incident response plan that captures what is required to effectively respond to different incident scenarios, inform key stakeholders about its contents and their responsibilities, and finally keep it regularly updated using lessons from previous experiences, as well as new insights from analysis of their operational context.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.