What is an Incident Response Plan?

An Incident Response Plan details the ‘who, what, where, how, and when’ of what happens within an organisation when a security incident occurs, to facilitate the fastest, most secure, compliant remediations. Developing an Incident Response Plan takes careful consideration, strategy, and ownership, with continuous improvement built in.

Why is Incident Response Planning important?

In 2024, the Australian Signals Directorate reported a 31% increase in publicly reported common vulnerabilities and exposures. In the same period, medium and large sized businesses self-reported losses of $63,000 on average, per report.

Cybercriminals are becoming more advanced, and losses can be a significant hit to businesses.

Incident Response Planning is your internally-designed, strategic, practical insurance policy against cyber threats. If your cyber risks are known, assets identified, systems fortified against threats, and step-wise failure plans laid out, you are now prepared to deal with inevitable security incidents that plague businesses.

Having a plan of what to do in the event of a security incident means:

• A clearly defined plan for handling critical cyber security incidents

• Decreased time to fully restore services

• Lower costs spent during remediation

• Protection against asset and data loss

• Protection from reputational damage

• Compliance regulations are always met

• Effective communication to all stakeholders at the right times

What is the Incident Response process?

The gold standard incident response lifecycle model is detailed in NIST’s April 2024 publication Incident Response Recommendations and Considerations for Cybersecurity Risk Management. This high-level model is derived from NIST’s Cybersecurity Framework 2.0.

Within the model, there are two phases, each with three functions:

• Preparation: Govern, Identify, and Protect

• Incident Response Lifecycle: Detect, Respond, and Recover

Identify

This function involves ensuring all the cyber threats to the organisation are documented and understood. Within the Identify function, there is also continuous improvement of the model and its functions, led by newly identified risks and threats, metrics usefulness, how response plans were carried out in practice, etc.

Govern

This function outlines the organisation’s governance of cyber threats, including responsible parties, strategies, communication policies, and governance monitoring techniques.

Protect

This function involves all the controls and safeguards used within the organisation to guard against cyber threats identified from risks.

Detect

This function is how the organisation identifies and analyses potential threats.

Respond

This function is how the organisation responds to confirmed security incidents identified during the Detect function. Digital Forensics may be deployed during the Respond function, which serves as a method to expertly analyse the incident while ensuring high levels of sanitation for potential use in legal cases.

Recover

This function is how the organisation returns to a normal, safe, operational state after a security incident.

Where does an IR plan fit into the Incident Response process?

An Incident Response Plan is created in the Preparation phase. The Identify function identifies cyber risks which will lead to the types of security incidents the IR plan must cover. The Govern function will outline roles and responsibilities surrounding IR planning and response activities. The IR plan will also outline current controls in Protect and may cover what to do should these safeguards fail.

An Incident Response Plan is triggered and enacted during the Incident Response Lifecycle phase: triggered during Detect, then implemented during Respond and Recover.

How to create an Incident Response Plan

The people

An Incident Response Planning team should be led by your organisation’s CISO or CSO. The teams involved will include security, IT, legal, business operations and communications, at a minimum. There must also be awareness of the plan across the broader business.

An incident response team, on the other hand, may be a part of your Security Operations Centre, or an on-demand team from a pool in security and IT, headed by an incident response coordinator. Some organisations choose to outsource incident response teams, when resources are stretched in-house or 24/7 availability is required.

The policy

The Incident Response policy will cover incident planning more broadly and will include:

• Roles and responsibilities in Incident Response Planning and remediation activities, including senior management who are ultimately responsible

• Standards and frameworks used in Incident Response

• Current risks, including types, severities, likelihoods, etc.

• Known and emerging threats

• The broad incident response process

• Incident Response playbooks

• Compliance and reporting requirements and arrangements

We recommend consulting the Australian Cyber Security Centre’s Cyber Incident Response Plan Guidance for further details.

The playbooks

Playbooks are step-by-step guides for what to do in the case of a specific security incident. These will include people, procedures, technologies, timelines, reporting, etc., and may have conditional diagrams for different paths to follow attached.

Incident Response Planning industry standards and frameworks

• Australian Signals Directorate: Parts of the Information Security Manual

• NIST Special Publication 800: Incident Response Recommendations and Considerations for Cybersecurity Risk Management

• ISO/IEC 27035 Series: Information technology — Information security incident management

• CISA: Federal Government Cybersecurity Incident and Vulnerability Response Playbooks

Which security incidents should be covered by the IR plan?

While each organisation will have different risks and priorities, common future incidents should always have a dedicated playbook within the IR plan. These should include:

• Compromised account or credentials

• Malware

• Compromised asset, network, or infrastructure

• Ransomware

• Denial of Service attack

• Phishing

Implementing ASD’s Essential Eight can help guard against the most common threats.

Incident Response Plan vs. Business Continuity Plan

An Incident Response Plan is concerned with containment, eradication, and recovery in the case of a cyber threat. Your Business Continuity Plan is concerned with how to ensure critical business operations remain stable and then recover to a normal state after an unusual, damaging event. The Business Continuity Plan serves alongside the IR plan, but will also cover other non-security incidents such as backup failures and environmental disasters.

How Tesserent can help with Incident Response

Tesserent provides a wide variety of Incident Response services to government and commercial clients of all sizes. We provide urgent Incident Response Assistance with on-demand teams, through to risk assessments, Incident Response Readiness and Planning Services, and an Incident Response Management Retainer service for full coverage.

Reach out to arrange a free consultation to discuss your Incident Response capabilities and how to safeguard your organisation against future incidents.