The worldwide average cost of a data breach rose 15% in the last 3 years. That’s a huge jump in such a short amount of time! This brings the number to 4.45 USD. When running a business, the most experienced professionals know how to incorporate a solid cybersecurity foundation. In fact, according to IBM, 51% of businesses plan to increase their cybersecurity investments in response to a breach.

These investments should include:

• An incident response (IR) plan.

• Employee training.

• Threat detection and response tools.

Let’s go over all three of these suggested topics, with a special focus on creating and executing an incident response plan. 

• What is an Incident Response Plan

• Important Components of an Incident Response Template

  • Purpose & Scope

  • Threat Scenarios

  • Roles & Responsibilities

  • Incident Response Process

• Incident Response Template Examples

  • NIST Incident Response Plan

  • SANS Incident Response Cycle

  • ISO/IEC 27001 Incident Response Procedure

  • CIS Incident Response Template

  • Cloud Service Provider Incident Response Template

• Conclusion

I keep saying “incident response plan”, and maybe you know what that entails already - or maybe not. For those who’ve never heard of the term before, an incident response plan is a written document that helps your organization handle a security incident. This includes before, during and after.

I bet you’re wondering about the “before” part. After all, how do you respond to an incident that hasn’t happened yet? Well, you don’t. You prepare for it. And you do so with an incident response plan template!

An incident response plan template is a sort of checklist that allows you to prepare for possible security attacks. Specifically cybersecurity attacks. Responding to such an event is rather complicated, so it’s best to have documentation of the steps and actions required. A solid template sets you up to better detect security incidents, take note of their impact, and control any damage.

While templates help you structure your game plan and are similar in their framework, they’re also adaptable. Businesses can easily modify their template to adhere to their specific needs. This way you can delegate roles and responsibilities throughout your team the way you see fit.

When designing your template, take the following into consideration:

• What security solutions do you have? This includes software, hardware, and other technologies.

• Existing outlined procedures for restoring critical affected systems.

• The severity and impact of the incident.

• Separate incidents by type. For example ransomware, SQL injection attacks, etc.

• Set a required response and resolution time. Base this off of the severity of the incident.

• Clear process in place in case of incident escalation.

• Who is the first point of contact? What should you communicate and to whom? Provide backup contacts, as well.

• Review your organization’s plan at least quarterly. Update as needed according to new threats, incidents, and lessons learned.

Let’s break down some more important points you should include in your incident response template.

Determine the goals of the incident response template. Focusing on specific recovery goals will help you hone in on your efforts and focus on what is an imminent threat. Learning to prioritize these threats will save you from wasted time and data loss.

Clearly defining the purpose and scope of your incident response template helps to streamline the process throughout your organization. Specific statements may include the limitations of the program, risk mitigation, and education/training.

Develop more than one incident response plan to address different threat scenarios. Consider taking a sort of “master plan” and adding supporting documentation for special scenarios. 

Separate incident response plans can help you increase the likelihood that the individual handling the incident takes the appropriate steps. 

Scenarios in which you might consider having a separate incident response plan might include loss of intellectual property, data loss due to malware, and zero-day attacks on critical systems.

Decide who will put the response plan into action prior to the incident. Assigning roles and responsibilities in advance allows for a seamless transition from planning to practice. Working faster and with more confidence is the goal.

Your team will feel more in control and united for it. Include the individual’s name, title, and contact information.

This section keeps the sequence of events that your team needs to follow in response to a cybersecurity attack. I’d argue that this is the most important part of your plan. Remember that your main process will not match every situation. Keep it flexible to allow your team to decide what steps are best for the threat at hand.

Let’s look over some template examples! The following are a few companies that have exceptional templates, worthy of sharing with you.

The National Institute of Standards and Technology (NIST) provides a great incident response plan. The template aligns with its Cybersecurity Framework, providing specific guidelines for navigating data breaches. It offers guidance for preparing and detecting these attacks, as well as responding to, and recovering from them. 

The main sections of the proactive NIST approach include:

1. Organizing a Computer Security Incident Response Capability.

2. Handling an Incident.

3. Coordination and Information Sharing.

4. Incident Handling Scenarios.

5. Incident-Related Data Elements.

A leading organization in cybersecurity training, SANS Institute is next on the list. This incident handling process template provides a systematic approach when handling a cybersecurity breach (or any incident for that matter). SANS operates by the acronym PICERL to guide employees through threats to their organization or even personal data. 

Let’s look at the acronym and see what exactly the SANS Incident Response Cycle consists of:

1. Preparation: Establish an Incident Response Team (IRT), create an Incident Response Plan (IRP), and implement training and awareness.

2. Identification: Anomaly detection, event Logging, and notifications.

3. Containment: Isolation and quarantine.

4. Eradication: Root Cause Analysis, patch, and remediation.

5. Recovery: System Restoration and data recovery.

6. Lessons Learned: Post-Incident review and documentation.

7. Reporting and Communication: Internal and external communication.

The ISO/IEC 27001 Incident Response Procedure is ideal for those organizations who are just starting out. The plan is pretty straightforward to understand, which is personally what I appreciate about it. By adhering to the principles of this procedure, you are on your way to creating a strong framework. One that will help you build your organization’s security foundation.

When managing incidents, ISO/IEC 27001 suggests the following approach:

1. Create an incident management strategy.

2. Establish incident management procedures.

3. Identification and recording of incidents.

4. Response to incidents and containment.

5. Reporting of incidents.

6. Analysis and investigation of incidents.

According to the Center for Internet Security (CIS), there is a difference between an event and an incident. An event is any occurrence that you can observe, verify, and document. An incident, on the other hand, is an event that has a negative effect on an organization and its security. 

Whether intentional or unintentional, these incidents impact a company’s ability to accomplish its mission.

The CIS incident response template consists of the following:

1. Plan: Develop documentation. This should include all procedures required for handling incidents.

2. Detect: Monitor assets and analyze intelligence to find incidents.

3. Respond: Activate your plan to respond to an observed incident. This step should emphasize the importance of rapid containment of the threat.

4. Update: Take note of which parts of the plan were effective. Update your plan according to what worked and what didn’t. 

Cloud incident response plans deal with security threats in a cloud environment. Shocking, I know. These specific templates walk you through the procedures and tools within your infrastructure to recover and respond to cloud-based incidents. There are a few key differences between a cloud incident response system and a non-cloud incident response system. These aspects include the areas of governance, shared responsibility, and visibility.

Cloud service incident response templates include the following steps:

1. Preparation.

2. Detection and analysis.

3. Containment.

4. Eradication.

5. Recovery.

6. Post-mortem.

The cost of data breaches is rising globally for organizations in all sectors. This looming threat easily justifies the time and energy spent on putting together a well-structured incident response plan. 

Your template should include an organized approach that encompasses all stages of the security incident. The stages should include before, during, and after the breach. However, for those who have a lot on their plate already, consider these templates to build your own plan!

Remember that keeping your assets and data safe is more than just having a template at hand. Streamline your security defenses by the strategic approach of providing employee training, along with threat detection and response tools.