[4 min read]
Updated for 2022 - Includes 11 Tips for Building your Incident Response Team
As the rate of data breaches is on the rise it is no surprise that more companies are building an incident response team so their organization can act faster and more effectively when there is a cyber attack. An important first step to protecting your company data is to research Integrated Risk Management and recognize that building a risk and compliance program is becoming a business necessity and in fact, a competitive advantage for many organizations. One of the essential elements of any data security program is to build an Incident Response Team to prepare for and handle any issues that may arise.
We are all used to doing regular fire drills at the office or school, and we accept the benefits of having defined roles and responsibilities should an emergency occur. It allows for a more organized response to a difficult situation. This kind of planning limits the damage that can be caused and it keeps everyone safe. Well, the same is true with a cybersecurity Incident Response Team at work. Taking the time to plan for a worst-case scenario can limit damages and in the process preserve a company’s reputation.
What is an Incident Response Team (IRT)?
An incident response team or Computer Incident Response Team (CIRT) is defined by NIST as:
“Group of individuals usually consisting of Security Analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents. Also called a Computer Security Incident Response Team (CSIRT) or a CIRC (Computer Incident Response Center, Computer Incident Response Capability, or Cyber Incident Response Team).
Source(s): NIST SP 800-137 under Computer Incident Response Team (CIRT) from CNSSI 4009
At Ostendio we help a large number of companies who implement and maintain an Incident Response Team (IRT) as part of their overall security posture. From working with those companies we have devised our playbook for assembling a high-functioning Incident Response team:
1. Start with an executive or board-level support.The IT team normally drives the need for an IRT and if they have a champion on the executive board who understands the importance of being ready to deal with security breaches this can expedite the process of getting an IRT set up. A high-level champion is also critical because you will be bringing together team members from the whole organization to work on a company-wide plan, so many departments will need to be on board.
2. Pull in external experts for help.If you don’t have the expertise in-house look for an experienced outside company that has the knowledge and experience to help with your broader security program as well as establish your IRT. This can save you time and money when preparing your team.
3. Assemble the team with representatives from across the organization.Make sure you have included all departments on the team. Finance, PR, HR, marketing, legal, etc. will all have a role to play. It’s important to include PR as managing the public reaction to a breach can be a key part of the crisis response.
4. Name a leader and define clear roles and responsibilities for team members.Appoint a team leader so the team knows who is in charge when there is a serious incident. Document each team member’s responsibilities. Plans should be in place to respond to as many foreseeable events as possible. Contingency plans should be prepared, communications strategies written and authority granted to those who will need it ahead of time. All this preparation work will ensure a smoother reaction should an emergency occur.
5. Allow for logistical considerations.Think about the locations of team members and how time zones could affect working together. Ideally, if your company is big enough, there should be at least two people from each department on the team. You should also make sure you have multiple contact points for each team member - home phone, cell phone, etc. in case you need to reach them outside of office hours. Consider having a designated bridge number in case of a breach so that all members know how to connect quickly. Make sure there is an alternate way to connect in case of network connection issues - eg. text messaging rather than phone conversations.
6. Create a register of critical assets.
Define and document what assets are critical to your company. Remember that an asset isn't just hardware. It can also be a person, a vendor, or any other artifact that is critical to the functioning of the business. Use a management tool that helps you handle the register of critical assets so that they are up to date at all times. Critical assets include PII and other sensitive data (about customers and employees) which may require formal notifications in certain situations. Understand breach notification requirements for commercial contracts and/or to regulatory authorities.
7. Plan and conduct drills.There’s a reason we do fire drills and practice runs. Learn from the drills and improve the way the Incident Response Team handles different emergencies. For example, if there is a network security breach what teams would be involved, and how would the issue be communicated, tracked, and managed? What would a successful outcome look like for your company? By conducting a drill your organization will have the experience to better handle the real thing should a breach occur.
8. Foster a culture of openness and security awareness.People on your Incident Response Team and in your company should be encouraged to speak up if they see something significant. Building a culture of openness and security awareness can help mitigate incidents in the first place. Make sure regular security awareness training is part of your employee training for all employees. Staff must know how to report even the suspicion of an incident to enable an IRT to respond quickly. Time is of the essence and a quick and appropriate response could prevent an incident from becoming a media-reported situation.
9. Invest in technology to help you bulletproof your incident response team.Look for a tool that will help you assign roles on the team, document steps taken to respond to an incident, and allocate responsibilities to team members. It should have regular reminders to make sure that the plan is kept up to date. The best solutions (like Ostendio MyVCM) ensure that all incidents are tracked and managed centrally in the platform so you can see any patterns and commonalities in the incidents that occur. Make sure that everyone on the team has the training to use the tool effectively.
10. Publish and Maintain a Contingency PlanThe plan needs to be available for the IRT to see, use and make comments/suggestions. There should be a way that comments or suggestions can be assigned within the plan to a team member. After each incident, the IRT should gather and reassess the plan to see if improvements can be made. If there are no incidents, the IRT should review the plan at least once a year to address changes in the environment, industry, or team members. Importantly, make sure the plan is accessible from two unique locations to ensure you are not left blind if the host location is unavailable as a result of the incident.
11. Ensure the IRT has a high capability to respond to risks rated as “high".
For example, today ransomware can have a high probability and a large negative impact on an organization. If a risk is rated high by the organization, the team should be sure they know how to respond to this type of incident. A specific playbook can be created to help the IRT respond quickly and effectively.
Being prepared can make a significant difference in the way organizations deal with critical situations when they occur. Our Professional Services team can guide companies as they develop an Incident Response Team as part of their overall security program. If you are getting serious about your organization’s security and want to learn more, you won’t want to miss our on-demand webinar about benchmarking your security maturity. You can also set up a time to speak to one of our experts to discuss your data security and business continuity plans.