Incident Response Planning Guideline for 2021


When faced with a real-life cybersecurity threat, few organizations know what steps to take first in order to handle the incident and minimize its impact on the business. Having a well-thought-through cyber security incident response plan (IRP) in place is the only way to get yourself fully prepared for dealing with this kind of situation.


In this article, we’ll tell you in detail how you can build an IRP that perfectly fits the needs of your business.


Why is having an incident response plan so important?


What is an incident response plan?


An incident response plan is a document containing a structured methodology for handling and mitigating the consequences of security incidents, cyber attacks, and data breaches.


Here’s why it’s important to have such a plan:


  • It gives you a clear vision of the assets to be protected.
  • It shows you how to handle a specific event in the most effective way possible.
  • It helps you address the cause of an incident and prevent similar incidents from happening in the future.


An IRP is highly recommended for businesses of any size. When planning an incident response, it’s important to take a multi-tiered approach to secure your organization’s network and assets.


Plus, you always need to balance security with the productivity of your corporate network and deployed systems.


Insident response plan


Here’s a short checklist for building a sample incident response plan:


  • Specify the main incident response requirements that you need to follow, both regulatory (NIST, HIPAA, PCI DSS, etc.) and business-related (response times, recovery strategies, etc.).


  • Conduct a security audit to identify the weaknesses in your company’s network and deployed systems that you can address immediately.


  • Define what a security incident is. Your employees need to know what events are considered security incidents, how to define their severity, etc.


  • Name responsible people who will be in charge during an incident and decide what parties need to be informed and involved in handling an incident.


  • Include a comprehensive communication plan. Your IRP must specify who to call first in case of an incident, when to call them, and who to contact if they’re unavailable.


  • Make a short list of security incidents your organization is most likely to face or has faced in the past. Plan procedures to address these incidents. Then expand the scope of covered security incidents little by little.


  • Add various options to your IRP: levels of possible data breaches, levels of incident severity, types of affected endpoints, etc.


  • Plan recovery scenarios. Incorporate backup solutions and specify system restoration and data recovery procedures that should be followed in the event of a security incident.


  • Report to proper authorities. Include a list of authorities that should be notified in the event of a specific incident. For instance, GDPR and California’s SB1386 require issuing a public notification in case of a data breach.


  • Improve your IRP based on previous incidents. Once you’ve handled an incident, analyze it in depth to update your current IRP with more effective response strategies, procedures, and scenarios.


Now, let’s see how you can build a fitting IRP for your organization. We’ll start with choosing a guideline to follow when figuring out how to respond to a potential security incident.


NIST as a guideline for building an incident response program


While there are a lot of guidelines and ready-to-use cyber incident response plan templates, not all of them are applicable to all kinds of organizations.


Insident response plan guide


Creating an incident response program from scratch is just as challenging as building an insider threat program. For every organization, the choice of the most effective incident response scenario will depend on the specific IT environment, the threats the organization faces, and their business needs.


However, the National Institute of Standards and Technology (NIST) provides a series of guides that every organization can use as a baseline for building their incident response program.


In particular, you can follow the recommendations of the Computer Security Incident Handling Guide, 800-61 Revision 2 to manage a potential cybersecurity incident in the most effective way possible.


According to NIST, an incident response plan should include four main phases:


  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident activity


Each phase includes a number of steps an organization should consider adding to their IRP. Let’s look closer at these phases.




An organization should be ready to deal with a cybersecurity incident before it actually happens and plan all necessary response procedures in advance. The preparation phase also includes planning what to do to prevent a data breach or attack from happening in the first place.


Detection and analysis


An organization must be able to detect cyber incidents and have tools and technologies in place to collect, document, and analyze data relevant to the incident. To make this task a bit easier for you, NIST specifies eight attack vectors (see below) and lists the most common signs of a cybersecurity incident.


When required, an organization should also be able to prioritize an incident according to its impact and recoverability and then notify the proper authorities about the breach.


Containment, eradication, and recovery


An organization must be able to effectively handle an attack, remove the threat, and start recovering affected systems and data.


At this phase, it’s also important to gather evidence about the incident to use later both for resolving the incident and in legal proceedings.


Post-incident activity


After effectively handling a security incident, an organization should use the information learned from the incident to improve its current IRP.


The best thing about the NIST cybersecurity framework is that it’s both flexible and adaptive, so it can be efficiently implemented by large enterprises as well as small businesses. Let’s see how to build a NIST-compliant IRP for your organization.

Learn more about: Cyber Security Incident Investigation

Tips for implementing a NIST-compliant incident response plan


NIST provides quite a detailed guide to building an effective IRP. The main problem here is that there’s so much information that you may find yourself lost in recommendations.


Below, we list five must-do steps to make sure that your incident response program meets both NIST requirements and your company’s needs.


1) Establish a cybersecurity incident response team


Or at least choose responsible personnel.


No matter the size of your organization or the field you work in, the first thing to do when planning an IRP is to create a cybersecurity incident response team (CIRT).


A CIRT is responsible for coordinating key resources and team members during a security incident so the impact of an attack is minimized and all operations are restored as quickly as possible.


The main functions of the CIRT are to:


  • Define incident response policies and procedures
  • Handle cybersecurity incidents in a timely manner
  • Investigate and analyze previous incidents
  • Create an incident reporting capability and establish necessary communications
  • Train staff and raise awareness about cybersecurity threats and their mitigation
  • Improve the current incident response program


The number of members of your CIRT depends on the size of the company, its potential data loss, and its geographic reach. However, make sure to appoint a team leader who will be in charge of responding to and handling an incident.


Pay special attention to CIRT training: each CIRT member should know key cybersecurity policies and procedures of your organization as well as their specific responsibilities in case of an attack.


2) Plan all procedures in advance


Planning ahead is vital.


Should a cybersecurity incident take place, your CIRT needs to know exactly what to do to handle it with minimal losses. However, you need to not only compose but also battle-test your computer security incident response plan before any real-life incident occurs.


There are four main tasks your CIRT needs to accomplish at the planning stage:


  • Define a security incident
  • Define the most probable attack vectors
  • Prioritize incidents
  • Create standard incident response procedures for different incidents


First, you need to determine what events can be considered cybersecurity incidents. Then, create an incident response plan for each type of potential incident.


In its Computer Security Incident Handling Guide, NIST specifies a list of attack vectors and suggests developing a common incident response scenario for incidents that use the same attack vector.


This list of attack vectors includes:


  • External or removable media (for instance, an infected USB device)
  • Attrition (brute-force attacks)
  • Web (attacks executed from a web application)
  • Email attacks (emails with a link to a malicious website)
  • Impersonation (spoofing and man-in-the-middle attacks)
  • Improper usage (access misuse)
  • Loss or theft of equipment (a lost corporate laptop or authorization token)
  • Other (all other attacks)


Next, prioritize possible threats and attacks based on their impact. After all, there’s no sense wasting time on managing minor attacks when a larger breach remains unaddressed.


NIST offers three impact-based criteria for determining the priority of an incident:


Cybersecurity incident impact


1. Functional impact determines the impact a particular incident has on business operations.


There are four levels of functional impact:


  • None
  • Low
  • Medium
  • High


If an organization faces an incident with low functional impact, its systems are largely unaffected. Incidents with high functional impact, on the other hand, cause the organization to fail to provide at least one critical service to all users.


2. Information impact depends on the importance and sensitivity of the information that was leaked during the incident.


Information impact also has four categories:


  • None, when no data was leaked
  • Privacy breach, when sensitive personally identifiable information was leaked
  • Proprietary breach, when there was possible compromise of trade secrets
  • Integrity loss, when data was possibly altered


3. Recoverability impact depends on the number of resources an organization needs in order to fully recover from the incident.


Recoverability impact has four levels as well:


  • Regular, when no additional resources are required
  • Supplemented, when additional resources are required but the organization can predict the overall recovery time
  • Extended, when the recovery time can’t be predicted
  • Not recoverable, when the organization is unable to recover from the incident


This three-tiered approach is flexible enough to be adopted by any organization.


Once all the classification work is done, it’s time to start planning standard procedures for responding to different categories of cybersecurity incidents. Consider building containment strategies and standard operating procedures (SOPs) for the most common types of events such as system failures, denial of service, intrusion, and spyware infection.


In an SOP, specify the technical processes, techniques, checklists, and forms to be used by the CIRT in the event of a particular incident.


For further guidance on establishing proper response procedures, you can use NIST Special Publication 800-86, Guide to Integrating Forensic Techniques Into Incident Response.


3) Monitor user and network activity


If you can see it, you can manage it.


One of the best ways to prevent a potential attack is by monitoring everything that happens on your network. Consider deploying a user activity monitoring solution to address the problem of insider threats and subcontractor-related security risks.


By keeping an eye on the activity of individual users and activity on your network, you can:


  • Detect and terminate an attack at an early stage
  • Collect evidence and valuable data for further analysis


To move even further, you can implement a solution with behavioral user monitoring functionality. Using AI-powered technologies, such solutions can detect anomalies and deviations from baseline user behavior within the monitored infrastructure.


When choosing the right user activity monitoring solution, look for one that also has a flexible incident response system on board. Being able to set custom real-time alerts and automate at least some of the SOPs will help you ensure timely response to cybersecurity incidents.


4) Take care of backups and recovery strategies


No one wants to lose valuable data.


Recovery from cybersecurity incidents


A recovery strategy is a key part of any IT incident response plan.


Just like with handling an incident, it’s better to think about recovering from an incident before any breach actually happens and compose detailed examples of data recovery procedures for different scenarios.


You can start with determining what data is most valuable to your business and take additional care about its protection. This will let you know what to focus on in the event of a real-life cybersecurity incident: what data you’ll need immediately and what assets can be restored the next day or even the next week without causing any damage to the business.


There are two major tasks for your CIRT to keep in mind regarding the organization’s recovery from a cybersecurity attack or data breach:


1. Data recovery. It will be difficult to quickly counter a cybersecurity incident without a backup system in place. Deploying a data loss prevention tool and creating backups will help you safely restore all business-critical information if your organization faces a cybersecurity incident.


For better protection of your critical data, choose a hybrid backup solution combining on-premises and cloud-based services. Also, consider limiting access to sensitive data by deploying an identity and access management solution.


And if a security incident does happen, make sure to back up the affected systems so you can preserve their current state for forensics.


2. Service restoration. The following two steps are critical for restoring your organization’s systems to normal operation after an incident:


  • Check your network to confirm that all systems are operational.
  • Recertify as operational any systems or components that might have been affected during an incident.


You may also need to reset passwords for the users of breached accounts and block accounts and backdoors that potentially enabled the intrusion.


5) Update your incident response plan constantly


There’s always room for improvement.


According to NIST, organizations should review their incident response plans at least once a year. However, given the constant appearance of new cybersecurity threats, it would be wiser to check and update this document more frequently, especially for larger companies.


Whenever your business faces a significant change, be it entering a new sphere or changing internal infrastructure, these changes should be mirrored in your IRP.


When updating your IRP, pay special attention to:


  • New attack vectors and security threats relevant to your business
  • The latest updates and changes to your local and industry cybersecurity regulations
  • Incident handling procedures and solutions that can be improved
  • Lessons learned from previous attacks and breaches


For instance, if your organization is a potential target for a new cybersecurity threat, it’s important to prepare an adequate incident response scenario for this type of attack. Plan, test, and document all procedures and recovery tools related to the new threat.


Examining the way real-life incidents have been handled in your organization is also important. Such analysis can show you if your current strategy is good and what can be done to prevent such incidents from happening again.

Real-time incident response with Ekran System


Ekran System provides you with everything you need to respond to user-based insider threats effectively and in a timely manner.


Using our platform, you can:


  • Monitor the activity of employees and third-party vendors
  • Set custom alerts and notifications
  • Terminate suspicious sessions and kill processes
  • Block USB devices of a restricted type
  • Block users upon specific events


Ekran System helps you meet the requirements of the most important IT compliance regulations, including NIST, NISPOM, HIPAA, and PCI DSS.


In addition, you can get detailed activity reports and export audit data in a forensic format.




Having an incident response plan is crucial for organizations and businesses of any size.


While there are ready-to-use incident response plan templates, it’s more beneficial for a company to build a customized incident response plan that reflects their specific requirements.


To make this process a bit easier, organizations can use common security standards and popular guidelines such as those provided by NIST.


When building an incident response plan in accordance with NIST requirements, an organization should cover four major phases:


  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident activity


Within each of these phases, a set of tools and procedures for handling a specific attack vector or specific security issues should be specified.


Ekran System offers a rich set of incident response capabilities, from real-time alerts and notifications to proactive manual and automated incident response tools.