How to create a Cyber Security Incident Response (CSIR) Plan
What is Cyber Security Incident Response?
Cyber Security Incident Response (CSIR) describes the actions an organisation needs to undertake when a computer network or system is compromised by a data breach or hack.
Why is a Cyber Security Incident Response Plan Important for Your Organisation?
In any business, data breaches and cyber attacks are inevitable. It's the speed in which you react to the incident that is critical.
If an incident is not managed or contained correctly, it could potentially escalate, leading to a damaging data breach or system collapse.
In Ireland, incidences of cyber crime were found to be double of that experienced by global organisations and three times more disruptive.
Additionally, cyber security incidents can be costly to organisations. According to a survey on cyber security incidents, 38% of Irish businesses who had taken part reported a financial impact of approx €84,792. Worryingly, one fifth of respondents admitted to not knowing what their losses were due to the incident, or said the loss was immeasurable.
Types of Cyber Security Incidents:
Below are examples of common cyber security incidents that could have a negative affect on your organisation if a Cyber Security Incident Response Plan (CSIR) is not in place:
- Malware attack
- Ransomware attack
- DDoS attack - Distributed Denial of Service attack
- Phishing or social engineering attack
- Missing or stolen company property, such as an unencrypted laptop or phone holding sensitive company information.
The goal of a CSIR is to ensure an organisation's staff and IT teams can handle the situation at hand in a way that limits damage while reducing recovery time and costs. It also allows organisations to establish and implement best practices to stop an intrusion before it causes further damages.
Organisations cannot eradicate cyber incidents completely, but incident response processes do help to minimise the risk.
While hackers will always continue to exist, a team can be prepared to prevent and respond to their attacks. That is why having a functional, effective incident response plan is important for all organisations.
Developing a Cyber Security Incident Response Plan
An Incident Response Plan contains processes and procedures to help IT professionals and staff within the organisation recognise and deal with a cyber security incident such as a data breach or cyber attack.
They are also a necessary addition to your organisation's policies and procedures when working towards compliance with various security standards, either directly or indirectly.
Standards which need cyber security incident response documentation include:
- ISO 27001 - The international standard for an ISMS (Information Security Management System)
- PCI DSS (Payment Card Industry Data Security Standard)
- ISO 22301- The international standard for a BCMS ( Business Continuity Management System)
Most incident response (IR) plans are technology centric and address issues such as malware, data theft and service outages.
However, if your organisation is unfortunate enough to be hit by a significant cyber attack, it can affect multiple functions within the business. Therefore, the plan should include areas of the organisation such as human resources, finance, customer service, public relations, suppliers, partners, local authorities and other external entities.
Preparation
Preparation is arguably the most crucial phase of an incident response plan.
Part of this phase includes ensuring your organisation's employees are properly trained in responding to an incident and know their roles in the event of a data breach.
At this stage, if you don't have an in-house IT Team available to work through your networks and systems after a breach or attack, we would highly recommend having a consultant on hand to support you in the event of an incident.
Your response plan should be well documented, thoroughly explaining your employee’s roles and responsibilities.
Once complete, the plan must then be tested to ensure your employees will perform as they were trained. This can be done by developing response drill scenarios and mock data breaches to evaluate the incident response plan.
The more prepared your employees are, the less likely they’ll make critical mistakes if a breach occurs.
Identification
This is the process in which a breach is identified. The incident response team should immediately take action by reviewing the organisation's infrastructure and identifying any unusual activities, login attempts, unexpected new files or unrecognised user accounts.
This allows the incident response team to gain insight into when and how the attack happened, what was affected by the attack, and the likely effect and impact of the attack, as well as discovering the source and initial point of entry.
Containment
Once the necessary information has been gathered on the incident, the focus then turns to containing the threat to prevent further damage of the infrastructure.
The primary goal in this phase should be to minimise and contain the threat so it cannot escalate further and infiltrate more of the infrastructure.
When an effective containment strategy is put in place, the incident itself should be reviewed and any relevant evidence that is useful to resolving the incident should be gathered.
Eradication
In this phase, the focus is on eliminating the threat and the root cause of the incident. Then to ensure the removal is verified by monitoring traffic and critical logs.
Recovery
Once all threats have been removed, restoration of the affected infrastructure must be completed. This encompasses everything from initial data recovery to a final restoration review.
At this stage, the recovered data and infrastructure should be validated to make certain that it’s fully operational and protected.
Additionally, at this stage a penetration test should be considered to ensure restored infrastructure has had sufficient remediation actions applied and the infrastructure's security is sufficient.
Lessons Learned
Once the investigation is complete, a debrief and review meeting with the organisations stakeholders should be conducted.
This review should include a detailed documentation of the incident, the steps taken to remove the threat and the cyber security measures put in place so it does not happen again.
How can we help?
A cyber incident is never something you want to face. However, being proactive and prepared will make a huge difference in your response.
At Secora Consulting, our consultants have the expertise to work with your organisation to create a Cyber Security Incident Response Plan that suits your specific organisational requirements.
[Get in touch](https://www.secoraconsulting.com/contact) to learn more about our CSIR processes and how we can help improve your cyber security posture and provide peace of mind in an ever-evolving threat landscape.
Further reading
Our services
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.