When the inevitable happens, respond effectively and recover quickly with a well-though out Incident Response plan.

In the event of a destructive attack, data breach, ransomware demand, or accidental data loss, time is of the essence. Having a formalized, tested incident response plan makes all the difference.

“You’re formulating a course of action for how you’ll respond to things that may or may not happen,” says Ryan Weston, Chief Information Security Officer at ACS.

The incident response plan should be part of your company’s overall Business Continuity or Disaster Recovery Plan. Take these steps to ensure your plan has key stakeholder support and can easily be implemented in times of disaster.

1. Gain buy-in from the top

The company’s chief executives and board of directors need to be in agreement with your plan. It’s likely you’ll hire outside resources such as vendors or legal counsel to assist in an emergency. Those who write the checks will need to know this beforehand. You’ll also want their support when it comes time to gain consensus from other departments and employees.

Group of employees meet to discuss Incident Response

2. Identify key personnel or partners

Make a list of  individuals who will be key to implementing your plan. This includes legal counsel, finance officers and representatives from human resources, public relations and marketing, information technology, operations, and customer services departments.

Preparing you to face any incident -- and recover rapidly -- is our specialty. 

Learn More

3. Create a plan

The plan will include specific details such as what constitutes an incident. A good way to gauge if something is an incident is to consider how business would be interrupted or disrupted and set thresholds.

Each company has to define what an incident is to them. Some may consider logging into a firewall an incident. Others not until something has been stolen or a system breached.

Some situations may not be severe enough to implement the incident response plan and can be handled by another policy or procedure.

The plan also defines the high-level people or positions who will be involved. It also includes assigning jobs and responsibilities to those who will respond when an incident occurs. This will help you determine where there is a gap in skills and when and in what areas outside assistance will be required.

Your plan will need to include information about how the team will communicate with one another and the tools they’ll need.

4. Document and communicate

 You’ll need to keep copies of your plan both on- and off-site, including an electronic copy that is readily accessible and physical copies that are stored in several locations. Electronic and paper copies should be given to stakeholders, those who will respond and take action, and any outside vendors or experts who will be retained if the plan is executed.

5. Test, adjust and retest

 Role play with those involved and create potential incidences in which they would be required to implement the plan. Evaluate how well the plan was executed and how well it resolved the issues. Make adjustments as needed and then retest the plan. Weston recommends testing a couple of scenarios from a small-scale issue to a large disaster.

6. Review

Assess your plan at least once a year, if not quarterly, depending upon your industry. Add new processes and critical operations as your business evolves, as employees leave and as positions change.

If you’re unsure whether your plan meets these requirements, or if the thought of all of this makes your head spin, a third-party technology services provider can help review your plan or help you create a custom plan that will ensure it follows industry standards and best practices.

Need advice on setting up your Incident Response plan? 

Get In Touch

Incident Response Plan FAQ's

Q: How does the company ensure that all employees are familiar with the incident response plan, and what training methods are used to educate them?
A: ACS recognizes the importance of a well-informed team when it comes to incident response. While we don't directly train our clients' employees, we emphasize the value of comprehensive education in our consulting. We advise our clients to conduct regular workshops and simulation exercises that walk employees through the incident response plan. This could involve tabletop exercises or more sophisticated cyber range simulations, depending on the client's resources and needs. The goal is for each member to understand their role clearly and to ensure the plan is second nature during an actual incident.

Q: Can you provide examples of incidents that were managed using the plan, and how the outcomes of those incidents shaped future revisions of the plan?
A: While the specifics of incidents are confidential, ACS has managed a range of scenarios from minor data breaches to significant system outages. Each incident is thoroughly debriefed to extract lessons learned, which are then used to refine the plan. For example, an unexpected communication bottleneck in one incident led us to develop a more robust communication protocol, ensuring clear and prompt information flow for future occurrences.

Q: What metrics or key performance indicators does ACS use to measure the effectiveness of an incident response plan during and after an incident?
A: The effectiveness of our incident response plan is evaluated using several metrics, such as the time to detect and respond to an incident, the impact on operations, and the time taken to resume normal service. Post-incident, we assess the accuracy of incident classification, response coordination, and the effectiveness of communication both internally and externally. Customer feedback and the cost incurred due to the incident also play a crucial role in our assessment. These metrics guide us in continuously improving our response strategies.