It's important to have an incident response plan in addition to your regular disaster recovery plan. Incidents are situations that could turn into a disaster if not handled properly, and are often the first step in detecting a disaster. When an out-of-normal condition in your organization occurs, it must be acknowledged as quickly as possible, assessed as to its nature and severity, and some sort of response initiated.
When considering if the situation is an incident or a disaster, a good rule of thumb is to assess the severity of the event and likelihood of it ending quickly. An incident may be defined as an event that may be, or may lead to, a business interruption, disruption, loss and/or crisis. For example, incidents could be something as simple as a leaky pipe, but if the pipe bursts, the situation can quickly escalate into a disaster. Introduction of a virus into a network would initially be treated as an incident, as the assumption is that it will be addressed quickly through various software tools and security techniques. However, if the virus proves to be a major denial of service attack, the incident quickly becomes a disaster because the business could be totally disrupted.
INCIDENT RESPONSE PLAN TEMPLATE FOR DISASTER RECOVERY PLANNERS: TABLE OF CONTENTS
Incident response plans are sometimes called incident management plans or emergency management plans. Either term is acceptable, so long as the plan's composition is consistent with good incident response practice. An incident response plan establishes the recommended organization, actions, and procedures needed to:
- Recognize and respond to an incident;
- Assess the situation quickly and effectively;
- Notify the appropriate individuals and organizations about the incident;
- Organize the company's response activities, including activating a command center;
- Escalate the company's response efforts based on the severity of the incident; and
- Support the business recovery efforts being made in the aftermath of the incident.
In practice, incident response plans minimize operational and financial impacts of potential disasters and are typically activated when a local incident manager (or someone else suitably trained) determines that an incident (or out-of-normal condition) has occurred. Incident response plans typically precede more detailed activities, such as disaster recovery and business continuity plans. If we look at a typical timeline for a disaster (below) we see that incident management/incident response plans are the "first response" and typically are the links to subsequent business recovery actions.
Good business continuity practice, as espoused by organizations like the Business Continuity Institute and DRI International, includes incident response planning as a key part of the overall business continuity management process. A well-organized incident response team with a detailed incident response plan can help mitigate the potential impact of unplanned situations. Quick response, coupled with well-rehearsed actions, can often save an organization from invoking more complex and costly disaster recovery and business continuity plans. In many cases, the incident response effort can help the company quickly return to normal.
But there will be situations where the severity of an incident is beyond the capabilities of an incident response team. In these scenarios, the incident response team will relay the information they know to emergency management teams and first responder organizations (e.g., police, fire) to try and resolve the incident. If the situation causes physical damage to a building or causes severe damage to critical business systems, then the staff will relocate to an alternate location and BC/DR plans should be activated.
Here are some key points to keep in mind when forming an incident response plan:
- Senior management support is essential. Without senior management support, you won't be able to formulate a good incident management plan and secure a well-trained team to respond to incidents.
- Keep the plan simple. A well organized, step-by-step incident response plan with relevant information at your fingertips will help you get through most incidents.
- Communicate regularly on the incident status. Provide the relevant facts as they are available, disseminate them quickly, follow up regularly, keep relevant parties informed and resolve incorrect information.
- Review and test. Once an incident response plan is complete, review and exercise it to ensure that the documented procedures make sense and the team is equipped to respond according to the plan.
- Be flexible. An incident response plan should have built-in flexibility to adapt to a variety of situations; this includes who is on the team and access to resources to mitigate the incident.
This incident response plan template provides a useful starting
point for developing your own incident response plan. Be sure to review it with various internal organizations, such as facilities management, legal, risk management, and key operational units. Also, if possible, have local first responder organizations review the incident response plan. Their suggestions should prove valuable and will increase the success of your incident response plan.
Lastly, developing an incident response plan involves company management and a proactive policy regarding business continuity and disaster recovery. Keys to success include step-by-step incident response procedures, staff trained in incident response, pre-written forms for damage assessment and incident assessment, regular plan reviews and exercises and maintenance of the plan and its various components.
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and can be reached at firstname.lastname@example.org.