{"id":1434,"date":"2018-04-06T14:18:53","date_gmt":"2018-04-06T18:18:53","guid":{"rendered":"https:\/\/solutionsreview.com\/security-information-event-management\/?p=1434"},"modified":"2019-06-24T12:20:51","modified_gmt":"2019-06-24T16:20:51","slug":"key-components-successful-incident-response-plan","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/","title":{"rendered":"Key Components to a Successful Incident Response Plan"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-1435\" src=\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod.jpg\" alt=\"incident response plan key components\" width=\"800\" height=\"400\" srcset=\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod.jpg 800w, https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod-300x150.jpg 300w, https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod-768x384.jpg 768w, https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod-540x270.jpg 540w, https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod-162x81.jpg 162w, https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod-360x180.jpg 360w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">We\u2019ve written before about the importance of having an <a href=\"https:\/\/solutionsreview.com\/endpoint-security\/safeguard-enterprise-incident-response-plan-irp\/\" target=\"_blank\" rel=\"noopener noreferrer\">incident response plan (IRP)<\/a> for your enterprise. An incident response plan is a set of procedures your enterprise and IT security team will follow when a data breach or security event inevitably strikes. And make no mistake, a data breach is coming for your business, regardless of the size of your enterprise or the industry you operate in. Being prepared is a must, even if you have a <a href=\"https:\/\/solutionsreview.com\/security-information-event-management\/1122-2\/\" target=\"_blank\" rel=\"noopener noreferrer\">SIEM solution<\/a>. \u00a0<\/span><\/p>\n<div class=\"widget\"><div class=\"aside-card\">\t\t\t<div class=\"textwidget\"><p><a href=\"https:\/\/solutionsreview.com\/security-information-event-management\/security-information-event-management-vendor-map\/\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-1682\" src=\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2020\/02\/SIEM_VM_SB.jpg\" alt=\"Download Link to SIEM Vendor Map\" width=\"800\" height=\"100\" \/><\/a><\/p>\n<\/div>\n\t\t<\/div><\/div>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">But what makes a good IRP? What should your IRP contain? Running around in a blind panic will not result in a tidy or speedy resolution. Here are the key components of a successful enterprise incident response plan: <\/span><\/p>\n<h3 style=\"text-align: justify\"><b>Incident Response Plan Practice Makes Perfect <\/b><\/h3>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Regardless of the specific details of your incident response plan, it\u2019s only half the equation for success. Your enterprise and your incident response team (more on that in a moment) needs to practice the procedures laid out in your IRP so that they&#8217;re prepared for an actual security event. Employees outside the IT security team need to know where to report a potential cybersecurity threat and to do so promptly. The incident response team, in turn, needs to know how to respond to a potential threat when the alert arrives. <\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Practice also allows you to evaluate where your incident response plan is strongest and weakest, and therefore where reinforcement is necessary. Make sure regular practice sessions\u00a0are incorporated into your IRP. \u00a0\u00a0<\/span><\/p>\n<h3 style=\"text-align: justify\"><b>The Chain of Command in Your Incident Response Team<\/b><\/h3>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Quick! A security breach is happening! Your IT team leader is evaluating the situation and directing the response! Wait no! The CISO needs the team to deal with the threat differently! Wait! Drop everything! The CTO has come in and is barking orders! <\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">This happens far, far too often in too many enterprises: they have an incident response plan but lacks a proper chain of command in their IRP. Without clear leadership, your enterprise&#8217;s<\/span><span style=\"font-weight: 400\">\u00a0response will collapse into confusion, wasted time, and more damage. Every solid plan needs a clearly delineated incident chief (ideally someone with experience in crisis management) and a clear chain of command flowing from them so communications remain clear throughout the incident and its aftermath. <\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">An outlined incident response plan should also specify who is on the incident response team. These team members should know their roles and responsibilities during a cybersecurity incident, how they relate to other team members in the IRP\u00a0hierarchy and have clear procedures for how to perform their responsibilities. <\/span><\/p>\n<h3 style=\"text-align: justify\"><b>Procedures and Plans that Fit Your Enterprise\u2019s Needs<\/b><\/h3>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">A well-designed incident response plan should have procedures for the actual handling of the security event that fit best for your enterprise. The IRP should contain information about the most common threats your enterprise will likely face and the currently deployed cybersecurity protocols and protections that deal with those threats. It should also have procedures that work within these protocols, as well as processes to recognize if they\u2019ve been compromised. <\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Additionally, your enterprise&#8217;s IRP should have procedures for gathering information and threat identification (where the breach came from, what parts of the network it\u2019s affecting, if it\u2019s a false positive, etc.) and appropriate containment procedures. <\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">An incident doesn\u2019t end once the breach is contained either. The threat needs to be removed from your enterprise\u2019s network, the security hole that allowed the breach in needs to be closed, and the damage needs to be assessed. Having the processes for these steps clearly explained are also vital to a well-rounded incident response plan. <\/span><\/p>\n<h3 style=\"text-align: justify\"><b>Honesty is the Best Policy<\/b><\/h3>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Every IRP should have external communication policies that are clear, immediate, and consistent for alerting your customers, relevant regulatory bodies, and investors of a cybersecurity event. Your enterprise\u2019s IRP should identify who needs to be contacted in the wake of the breach, with specific caveats depending on what kind of breach occurred and what was affected, as well as who should contact them and how. These communications should follow industrial and governmental regulatory mandates depending on the location of your enterprise (individual U.S. states have their own laws, enterprises dealing with the EU should prepare for <a href=\"https:\/\/solutionsreview.com\/security-information-event-management\/numbers-gdpr-data-management-2\/\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR<\/a>, etc.). <\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Above all, these communications must be <a href=\"https:\/\/searchsecurity.techtarget.com\/news\/4500246224\/Security-ethics-survey-shows-honesty-is-a-tricky-business\" target=\"_blank\" rel=\"noopener noreferrer\">honest<\/a>. Your enterprise doesn\u2019t need to share every detail of a breach, especially if you believe it is still ongoing, but you need to provide enough information to consumers and investors to ensure they&#8217;re adequately informed for their safety. Your IRP should not influence your external communicators to make rash denials or downplaying statements. Such actions will only harm your enterprise\u2019s reputation in the long run. Instead, your IRP should mandate professional and honest language. \u00a0\u00a0<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Cybersecurity does not begin and end with your SIEM solution. You need to be a participant in keeping your data safe&#8230;and being ready to respond when the worst happens is part of that.<\/span><\/p>\n<p><span style=\"font-weight: 400\"><br \/>Widget not in any sidebars<br \/> \u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We\u2019ve written before about the importance of having an incident response plan (IRP) for your enterprise. An incident response plan is a set of procedures your enterprise and IT security team will follow when a data breach or security event inevitably strikes. And make no mistake, a data breach is coming for your business, regardless [&hellip;]<\/p>\n","protected":false},"author":41,"featured_media":1435,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[551],"tags":[353,95,145,112,22],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Key Components to a Successful Incident Response Plan<\/title>\n<meta name=\"description\" content=\"What makes a good incident response plan? What should your it contain? Running around in a blind panic will not result in a tidy and speedy resolution.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Key Components to a Successful Incident Response Plan\" \/>\n<meta property=\"og:description\" content=\"What makes a good incident response plan? What should your it contain? Running around in a blind panic will not result in a tidy and speedy resolution.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/\" \/>\n<meta property=\"og:site_name\" content=\"Best Information Security SIEM Tools, Software, Solutions &amp; Vendors\" \/>\n<meta property=\"article:published_time\" content=\"2018-04-06T18:18:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-06-24T16:20:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ben Canner\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ben Canner\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/\",\"url\":\"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/\",\"name\":\"Key Components to a Successful Incident Response Plan\",\"isPartOf\":{\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod.jpg\",\"datePublished\":\"2018-04-06T18:18:53+00:00\",\"dateModified\":\"2019-06-24T16:20:51+00:00\",\"author\":{\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/#\/schema\/person\/357f925262827fcf840b4341920a1541\"},\"description\":\"What makes a good incident response plan? What should your it contain? Running around in a blind panic will not result in a tidy and speedy resolution.\",\"breadcrumb\":{\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/#primaryimage\",\"url\":\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod.jpg\",\"contentUrl\":\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod.jpg\",\"width\":800,\"height\":400,\"caption\":\"The 4 Leaders in the Gartner Integrated Risk Management (IRM) MQ\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/solutionsreview.com\/security-information-event-management\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Key Components to a Successful Incident Response Plan\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/#website\",\"url\":\"https:\/\/solutionsreview.com\/security-information-event-management\/\",\"name\":\"Best Information Security SIEM Tools, Software, Solutions &amp; Vendors\",\"description\":\"Buyer&#039;s Guide and Best Practices\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/solutionsreview.com\/security-information-event-management\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/#\/schema\/person\/357f925262827fcf840b4341920a1541\",\"name\":\"Ben Canner\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/security-information-event-management\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/63f68345052a446ce0cc9c802dd3f373?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/63f68345052a446ce0cc9c802dd3f373?s=96&d=mm&r=g\",\"caption\":\"Ben Canner\"},\"description\":\"Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.\",\"url\":\"https:\/\/solutionsreview.com\/security-information-event-management\/author\/bcanner\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Key Components to a Successful Incident Response Plan","description":"What makes a good incident response plan? What should your it contain? Running around in a blind panic will not result in a tidy and speedy resolution.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/","og_locale":"en_US","og_type":"article","og_title":"Key Components to a Successful Incident Response Plan","og_description":"What makes a good incident response plan? What should your it contain? Running around in a blind panic will not result in a tidy and speedy resolution.","og_url":"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/","og_site_name":"Best Information Security SIEM Tools, Software, Solutions &amp; Vendors","article_published_time":"2018-04-06T18:18:53+00:00","article_modified_time":"2019-06-24T16:20:51+00:00","og_image":[{"width":800,"height":400,"url":"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod.jpg","type":"image\/jpeg"}],"author":"Ben Canner","twitter_misc":{"Written by":"Ben Canner","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/","url":"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/","name":"Key Components to a Successful Incident Response Plan","isPartOf":{"@id":"https:\/\/solutionsreview.com\/security-information-event-management\/#website"},"primaryImageOfPage":{"@id":"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/#primaryimage"},"image":{"@id":"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/#primaryimage"},"thumbnailUrl":"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod.jpg","datePublished":"2018-04-06T18:18:53+00:00","dateModified":"2019-06-24T16:20:51+00:00","author":{"@id":"https:\/\/solutionsreview.com\/security-information-event-management\/#\/schema\/person\/357f925262827fcf840b4341920a1541"},"description":"What makes a good incident response plan? What should your it contain? Running around in a blind panic will not result in a tidy and speedy resolution.","breadcrumb":{"@id":"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/#primaryimage","url":"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod.jpg","contentUrl":"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/04\/incident-response-mod.jpg","width":800,"height":400,"caption":"The 4 Leaders in the Gartner Integrated Risk Management (IRM) MQ"},{"@type":"BreadcrumbList","@id":"https:\/\/solutionsreview.com\/security-information-event-management\/key-components-successful-incident-response-plan\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/solutionsreview.com\/security-information-event-management\/"},{"@type":"ListItem","position":2,"name":"Key Components to a Successful Incident Response Plan"}]},{"@type":"WebSite","@id":"https:\/\/solutionsreview.com\/security-information-event-management\/#website","url":"https:\/\/solutionsreview.com\/security-information-event-management\/","name":"Best Information Security SIEM Tools, Software, Solutions &amp; Vendors","description":"Buyer&#039;s Guide and Best Practices","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/solutionsreview.com\/security-information-event-management\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/solutionsreview.com\/security-information-event-management\/#\/schema\/person\/357f925262827fcf840b4341920a1541","name":"Ben Canner","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/security-information-event-management\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/63f68345052a446ce0cc9c802dd3f373?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/63f68345052a446ce0cc9c802dd3f373?s=96&d=mm&r=g","caption":"Ben Canner"},"description":"Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.","url":"https:\/\/solutionsreview.com\/security-information-event-management\/author\/bcanner\/"}]}},"_links":{"self":[{"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/posts\/1434"}],"collection":[{"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/comments?post=1434"}],"version-history":[{"count":0,"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/posts\/1434\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/media\/1435"}],"wp:attachment":[{"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/media?parent=1434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/categories?post=1434"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/solutionsreview.com\/security-information-event-management\/wp-json\/wp\/v2\/tags?post=1434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}