Creating a Cyber Security Incident Response Plan

a male cyber security professional is in the office

The possibility exists that your organization at some point may be the target of a cyber-attack.  To help mitigate damage and get systems back online as quickly as possible it is necessary to have strong incident response plan.  Having a plan ahead of an attack can both help save time and help reduce the amount of damage that is incurred from a cyber-attack.   An incident response plan may provide specific details about how to identify vulnerabilities in an organization’s network and what can be done to fix them.  The plan may also identify the type of threats that an organization might face, the best ways for handling them and who will handle which tasks in responding to an attack.  Cambridge College of Healthcare & Technology offers specialized programs in Cyber and Network Security that provide the skills needed to be able to determine the best ways to prepare for and respond to incidents.  This post will take us through some of the basic steps for creating a strong incident response plan.

There are generally six basic steps to creating an incident response plan.  These steps are prepared, detect/identify, contain, eradicate, recover and review.  This information is based on the incident recovery steps as outlined in the NIST Computer Security Incident Handling Guide.

Prepare

  • Create a security policy and get it approved
  • Recruit members for a security team 
  • Assign individuals to specific tasks in the incident response and provide adequate training
  • Establish communication channels so individuals know who to contact and how when an incident occurs

Detect/Identify

  • Identify where a breach happened and when
  • Alert security response team
  • Determine the impact of the breach
  • Create a logbook and start recording all incident details
  • Contact local authorities if necessary

Contain

  • Gather evidence about the attack 
  • Determine what has been compromised 
  • Disconnect affected systems and devices
  • Re-route network traffic 
  • Identify attacker(s)

Eradicate

  • Find and eliminate the root cause of the incident
  • Remove all malware that may have been installed and remove it
  • Document the steps taken to eradicate the threat
  • Disable any accounts that might been breached
  • Update software and patch all vulnerable points of access

Recover

  • Restore systems with backed up information if needed
  • Return systems to normal operations – monitor and test to make sure security measures are working 
  • Assess the nature of the breach and create a detailed analysis  
  • Update security plan as needed 

Review

  • Complete full documentation of the incident from start to finish
  • Determine what went well and what did not
  • Use the knowledge gained from the incident to improve security processes and train staff
  • Meet with the incident response team and stakeholders to strengthen the incident response plan and be more prepared for the next breach

Learn More

To learn more about incident planning and the steps required to mitigate threats check out the Cyber and Network Security programs at Cambridge College of Healthcare & Technology.  Cambridge currently offers three options for students, with additional programs to be added soon, to gain the knowledge and skills that will allow them to enter into the exiting world of cyber security.  Check out what we have to offer by visiting the Cambridge College website today.