When developing an incident response plan, it is critical to have good base-level response processes as a foundation before moving to the next level of integrating with other processes and creating enterprise wide response capabilities. 

Get the foundational processes right first before moving on to the others. So said industry leaders, Angela Henry, business information security officer at Rand Merchant Bank and Raymond du Plessis, senior managing consultant at Mobius Consulting, speaking at the ITWeb Security Summit on Tuesday.

The pair led a discussion on how to develop an effective incident management plan, saying in the event of a security breach, the incident response team is faced not only with potential data loss, but a slew of other issues to deal with, such as investigation, containment and recovery.

Firstly, they said, in the aftermath of a security incident there is a very fine line between not communicating enough and communicating too much. Incident communication needs to be a balance between openness and protection, as divulging more information than necessary could result in undue escalation.

This is why an effective communication strategy at the different phases of any incidence response plan is key, said Henry.

She told the audience that a cyber security incident communication strategy needs to cover compliance-related issues, media, as well as internal communications. Although a company’s reputation could be negatively impacted by an incident, she believes the world is getting more technically aware and people are looking for more honesty and transparency in reporting incidents.

Roles, responsibilities

According to Du Plessis, when a breach occurs everyone within the organisation needs to understand their role, as well as the processes that need to be followed. It’s not just an information security issue. To be dealt with effectively, it requires the involvement of various stakeholders within the business, such as the public relations team, the legal department, and the law enforcement liaison.

Speaking of how to develop an effective incident response process, Du Plessis said to look at good practices and standards as the basis. “It could be NIST or ISO, or one of the others. These are all tried and tested, and follow methodical, logical steps that need to be adopted during an incident. The last thing you want is people running down the hallway screaming ‘we've been hacked’ and creating panic, and at the same time you also don't want an incident to pass by completely without even being aware of it.”

A methodical process

Following a methodical process that is simple enough for everyone to understand at a high level, and is practiced through simulations, is key.

“The first thing to do is verify the incident and analyse it before declaring it. The next step is attempting to contain is as best you can. Finally you need to think about using the incident as lessons learned and post an incident review to help improve the processes.”

There are a number of steps to take when formulating an incident response plan. Firstly, he said, the company needs to identify the key stakeholders that would need to participate if there was a incident within the organisation. Next, develop awareness and training for all stakeholders, even at board level, identify any external parties, appoint an incident response team, and define the roles and responsibilities for each.

Finally, Du Plessis said: “The skills that you have within your organisation are incredibly important. When you appoint first responders, consider additional training to help them learn to respond effectively.”