Free DownloadWhat is incident response? Plans, teams and tools
Incident response is an organized, strategic approach to detecting and managing cyber attacks in ways that limit damage, recovery time and costs. This guide shows how to establish an incident response strategy. It then outlines steps needed to craft a plan and put in place the team and tools required to minimize the fallout when a cyber attack hits your organization.
Business continuity vs. disaster recovery vs. incident response
To stay in business, expect the unexpected. Learn how business continuity, disaster recovery and incident response differ -- and why organizations need plans for all three.
Today, every organization is a technology organization, and almost every part of the business is digitally connected. Security incidents have the potential to disrupt this critical IT ecosystem, but businesses can minimize and mitigate interruptions with thorough detection, response, mitigation and recovery plans.
Business continuity is all about the processes and plans designed to ensure the business can continue to function in the face of any type of interruption -- from planned downtime to malicious attacks.
Today, these plans have to cover not just technology the organization itself owns or rents, but also third-party systems that may go offline.
Adequate staffing. Assemble a cross-functional team that meets periodically to review the plan and implement any necessary changes. These might be due to events such as organizational restructuring, partner onboarding or offboarding, changes in the regulatory environment and new technology deployments.
Critical business function identification. Define the organization's vital business functions, and establish how to keep them operational in a crisis.
Critical resource highlighting. Catalog all the human, technology and third-party resources required to enact the plan and maintain uptime. Identify the minimum number of required resources to keep the business operational.
Mock event training. Conduct an annual -- at minimum -- exercise to test the business continuity plan by simulating an event that interrupts operations.
What is disaster recovery?
Disaster recovery describes the steps needed to quickly restore IT services and products to a functional level in the event of natural disasters, technological failures or premeditated attacks.
Data backup and restoration. Ensure data is frequently backed up and periodically restored to confirm backup systems accurately mirror data stored on the primary network.
IT systems and assets auditing. Periodically audit IT systems and assets, comparing them against the inventory and flagging any variations.
Data recovery roles and responsibilities. Assign functional roles and operational tasks to data recovery team members.
What is incident response?
Incident response establishes the procedures the organization follows in the wake of a confirmed security incident. These steps include early detection, mitigation and response to thwart the effects of a malicious attack, as well as restoration of business operations to a fully functional level.
What do incident response plans include?
An incident response plan should include the following:
Asset inventory. Establish a complete inventory of all assets, and gauge the likelihood each asset might be attacked, based on information such as the following:
Assign a risk score to each asset, and periodically review it for accuracy.
Integrated detection, mitigation and response measures. Create an integrated plan that includes incident planning, incident detection and verification, a mitigation plan for all types of incidents and a response plan that includes internal and external communication aligned with industry and legal regulations.
Cross-functional team. A critical incident response team should include experts in cybersecurity, IT, digital forensics, project management, business operations, regulatory requirements and crisis communications. Each person should have clear roles and responsibilities across the detection, mitigation and response stages.
Why business continuity, disaster recovery and incident response are all important
An organization needs all three types of plans to maximize resilience and minimize risk.
Digital resilience and recovery depend on three pillars: business continuity, disaster recovery and incident response.
Business continuity, disaster recovery and incident response have the following related but distinct objectives, each of which helps ensure the organization stays in business:
A business continuity plan aims to ensure critical operations carry on during disruptions of any kind, whether unforeseen or planned.
A disaster recovery plan aims to restore IT functionality as quickly as possible after a crisis of any kind, whether a natural disaster, technological outage or cyberattack.
An incident response plan aims to detect, contain and manage cybersecurity incidents, such as cyberattacks, and minimize their fallout.
Business continuity, disaster recovery and incident response plans have complementary but distinct goals.
Best practices for business continuity, disaster recovery and incident response planning
Despite their distinct objectives, business continuity, disaster recovery and incident response planning share the ultimate goal of keeping the organization in business. They also have the following best practices in common:
Plan ahead. Create a business continuity plan, a disaster recovery plan and an incident response plan when conditions are calm. Once a crisis is underway, it's usually too late to develop thoughtful, effective strategies for dealing with it, which puts data, operations and the business itself at significant risk.
Involve the right team members. Effective business continuity, disaster recovery and incident response strategies all start with identifying and involving the right stakeholders. Clearly define each person's role and responsibilities -- and where those fall on the crisis response timeline -- in the plan itself. Ensure the document includes everyone's current contact information.
Put plans to the test. Business continuity, disaster recovery and incident response plans require at least yearly testing to ensure they are thorough and up to date. Mock crisis simulation exercises almost certainly offer key insights and prompt important revisions -- as even a plan that appears perfect on paper often has critical gaps in practice.
Update plans frequently. Crisis planning is not a set-it-and-forget-it initiative. Because today's businesses experience near-constant change, business continuity, disaster recovery and incident response plans require frequent updates to stay relevant and effective.
Ashwin Krishnan is a technical writer based in California. He hosts "Stand Out in 90 Sec," where he interviews cybersecurity newcomers, employees and executives in short, high-impact conversations.
Alissa Irei is senior site editor of TechTarget Security.
