An incident management plan (IMP), sometimes called an incident response plan or emergency management plan, is a document that helps an organization return to normal as quickly as possible following an unplanned event. An IMP can identify weaknesses in a business, mitigate the impact of a variety of situations, and limit damage to an organization's reputation, finances and operations.
With an increase in security issues such as ransomware attacks and data breaches, it's important for any business to have a plan to manage recovery. Instead of simply reacting to a situation, being proactive and having an incident management plan could make or break the effectiveness of the response. Incident management may be part of an organization's overall business continuity management.
Restoration of service may be just a temporary fix at first, depending on the severity of the situation.
An incident management plan is used for:
- recognizing an incident,
- quickly assessing the situation,
- notifying people affected,
- organizing the response and
- Documenting how to recover.
Understanding the incident management process
To aid incident management, the planning process features several components.
- Gathering contact information
- Drawing up a clear, well-defined template for each response
- Training for the incident management team
- Continual testing of the plan -- including tabletop discussions and in-depth operational exercises -- so everyone has a general idea of how to respond to given incidents; testing should also include a variety of threat situations.
- Reporting on how well the plan works
- Updating the plan to correct errors and improve upon weaknesses
It is important to categorize incidents using characteristics such as cause, severity and who is affected. Minor incidents can include a malfunctioning program, a password reset and running out of disk space. Major incidents can range from a security incident such as a data breach, to ransomware and a denial-of-service attack.
However, an incident management plan should not be so specific that it becomes too difficult for an organization to adapt it to different situations. The plan should provide more of a framework than specific steps. Having an outside source, such as a local first responder, review the plan is also helpful.
Once an unplanned event has occurred, the first step is to activate the IMP so the incident management team can analyze the situation. This enables the organization to devote the proper amount of time and resources to recovery. It also helps with future planning and in preventing the same incident from happening again.
There will be times when the severity of an event is beyond the scope of the incident management team. When this happens, the team must immediately contact the proper group, such as first responders.
Who's on an incident response team?
According to Ready.gov, a website of the U.S. Department of Homeland Security, an incident response team's roles include safety, liaison, public information, operations and planning.
A proper incident response team has a leader who can take charge following an unplanned event. That person, sometimes called the incident commander, knows the incident management plan, activates it when necessary and designates tasks for recovery. The team leader is the point person for all communications and decides when to end the incident response. After the incident, the team leader reviews the effectiveness of the response and reports to senior management.
Incident response team members focused on safety are tasked with identifying potentially dangerous situations, while the operations team ensures the organization follows the plan's actions correctly. The team should have a liaison who deals with outside organizations and another member who specifically handles media.
According to Ready.gov, an incident response team should also include members who handle logistics and financials.
Incident management plans vs. business continuity plans
The activation of an incident management plan typically precedes the more detailed process of launching a business continuity plan (BCP). Incident management is often the first response activity following an unplanned event. Sometimes an organization will not have to go to the more complicated and expensive BCP, especially if the incident management is achieved quickly and efficiently.
A BCP consists of critical information an organization requires to continue operation following an incident, and is much more detailed than an incident management plan. The BCP includes such items as contact information, which systems must be sustained, emergency response and management activities, and step-by-step procedures. It should take any possible business disruption into account.
Both an incident management plan and a BCP should be continually tested, reviewed and updated.
Incident management tools
An automated incident management system provides organizations with additional help. For example, a monitoring tool could pinpoint a problem before an IT staff member does, then send out an alert.
Some organizations rely more heavily on automated incident management systems. Advanced automation decreases the risk of human error and frees up IT staff. While this approach is not feasible for all organizations, most would benefit from a combination of automated and human involvement.
Service desk systems, such as Zendesk, embed incident management tools. Other vendors, such as SolarWinds and ServiceNow, go a step further and provide full incident resolution.
An incident management tool should understand the organization's architecture. Following an incident, the tool should provide a report on the procedures and results.