My 7 Step Incident Response Plan Checklist
You don’t want to be unprepared for a cyber attack. If you’re worried about the possibility of an incident, follow this incident response checklist to minimize damage and get back up quickly after your site or network is taken down.
- Ownership and Responsibility – The first step in creating a good incident response plan is to determine the people and teams that will be responsible for making and executing it. This includes identifying and training your team on the plan, tools, and technology in place. The plan should also be updated if there are any changes in your organization. It’s a good idea to consult with executives and other senior staff when you create the plan.
- Roles and Contacts – In the case of a cyberattack, a business can expect a lot of people to be affected. These people include executives, the C-suite, legal, HR, finance, marketing and sales. Businesses need to make sure that these groups know how they will be affected by a cyberattack and what their roles will be in recovering from it.
- Communication Methods and Contact List – During an incident, you may have no access to email or the phone. To ensure proper and timely communication with customers and employees during a crisis, you need to have contact details and alternative methods of communication prepared. You also need to make sure everyone knows what information will be communicated to whom and when.
- Recording and Identifying – Once an issue has occurred, you must document everything. When did it occur? Who noticed it first? What steps did the security and IT teams take to fix it? What was the type of incident? Was it confirmed as an actual incident?
- Threat Containment – It is vital that you contain the threat and stop the attack. Containment is an important step in your security plan, because it enables you to learn how the attack happened. If you do not contain the threat, it will continue to spread, and you will have no idea where it originated or how it spread so far. Additionally, the scope of the attack is extremely important. If you have a major breach, you must know exactly how many people were affected.
- Eradication and Recovery – The final step of any hack attack is to restore your systems and software to their original state. To protect your business, security and IT teams should collect evidence to ensure proper digital forensic purposes. This step includes taking inventory of logs, memory, audits, network traffic and disk images, while patching systems, cleaning memory, and restoring data.
- Lessons Learned – It’s important to reflect on the cyber-incident. What went well? What can be improved? Taking the time to carefully reflect on the incident will help you better prepare for the next one. Learning from the incident will also spark change within your organization, allowing it to further invest in security training and technology, thereby improving its security posture.