Incident response is the art (and science) of responding to computer security-related breaches. Interestingly, most organizations I deal with don’t have a documented incident response plan. The last thing you want to do during and after a security breach is figure out the best approach for handling the situation. It is an often overlooked component of business continuity.
The following are the core elements of an effective web incident response plan. These items are fairly generic, so be sure to tweak it based on your specific information security needs.
- Overview that outlines the goals, scope and assumptions of your incident response plan.
- Roles and Responsibilities outlining who does what including executive sponsor, media relations and technical roles including software developers and cloud service providers.
- Incidents Requiring Action outlining when the plan should be put into motion such as web security breach, suspicious behavior found on your IPS, malware infection and so on.
- Current Network Infrastructure diagram and supporting documentation including web system architectures and information flows.
- Existing Security Safeguards that are providing protection and can assist with detection and prevention including IPS, firewall, WAF, and endpoint security controls for the web, application, and database servers.
- Detection, Investigation and Containment procedures for responding to the incident keeping in mind that this may involve third parties such as a managed security service provider, hosting providers, ISPs, and even law enforcement and forensics investigators.
- Eradication, Cleanup and Recovery procedures for getting the affected systems back up and running which may include website, server, and database backups as well as web vulnerability scans.
- Follow-Up for reporting and documenting lessons learned to help minimize the chance of it happening again.
- Call List so you can quickly contact the people and vendors to get involved outside of your traditional business continuity or disaster recovery team.
- Training and Awareness to share the plan’s components with IT staff and end users.
- Testing procedures to ensure the plan is solid and following up on any problem areas.
- Revisions to the plan to ensure it stays current as well as keeping track of who made which changes.
Incident response may seem trivial – even like someone else’s responsibility. It’s not. Get started on your plan today before the going gets tough. You’ll be glad you did.