What Should Your Incident Response Plan Look Like?

Does your company have a strong incident response plan in place?

Typically, companies implement security stacks to help eliminate attacks or problems that may damage or negatively affect their computing environments. But, despite best efforts, it’s almost certain that at some point, something will slip through the defenses and cause an issue.

In the cybersecurity world, these are known as “incidents”.

Every organization, including yours, must prepare for incidents like these.

No security remains foolproof, and eventually, almost every enterprise will find themselves dealing with an incident of one kind or another.

As such, a strong incident response plan remains an essential, but sometimes overlooked, part of cybersecurity.

Key Components of an Incident Response Plan

Ideally, you’ll want to develop incident response plans for all business-critical infrastructure elements and applications.

Fortunately, multiple frameworks have been produced to assist organizations in the creation of incident response plans and procedures. While they similarly outline the steps necessary for effective incident response, they differ slightly in defining the components.

One of the most widely used frameworks is from the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce.

As one of the leading bodies in the area, let’s look at the four steps the NIST recommends in its Computer Security Incident Handling Guide.


It’s critically important to be prepared for a cybersecurity incident.

Hopefully, you’ll never need to implement your incident response plans, but you’ll be glad they’re in place if the time comes.

Proper preparation is key to successfully handling any problems that arise.

Some of the main tasks that need you’ll need to address in the preparation phase are:

  • Documenting contact information for individuals who need to be notified that an incident has occurred;
  • Defining an incident reporting mechanism and issue tracking system;
  • Developing recovery procedures for the specific application or infrastructure component affected by the incident;
  • Identifying the tools required for the later detection and analysis stage;
  • Taking proactive steps to prevent incidents including performing risk assessments, hardening security measures, and conducting user awareness training.

Take the right steps now, and you’ll be much better prepared under stressful circumstances.

Supply chain attacks via malware
Are you vulnerable to supply chain attacks? Click the image to read more.

Detection and Analysis

So, what do you do if you think something’s gone wrong?

Well, if it appears a cybersecurity incident has occurred, detection and analysis are required in preparation for the next step in the process.

Indications an incident occurred, or is in progress, include systems crashes, unexplainable performance degradation, or inability to connect to your network.

Your teams need to employ the appropriate tools to detect the exact nature of the incident and analyze the damage of the incident. The information gathered in this step leads directly to the next part of the procedure.

Containment, Eradication, and Recovery

Once an incident has been detected and analyzed, teams can begin the work of limiting the damage and recovering affected systems.

Generally, this involves three related steps.

  1. Containment: restricts the spread of the incident to other infrastructure elements.

  2. Eradication: eliminates malware, unauthorized users, or other causes of the problem from the computing environment.

  3. Recovery: procedures outlined in the preparation phase are used to restore system availability and integrity.

Post-Incident Activity

Post-incident activity occurs after systems have been successfully recovered and business operations are back to normal.

These activities include:

  1. Reviewing lessons learned related to cause the incident, as well as the procedures used to recover from it;

  2. Retaining evidence about the incident, which may be required by regulatory standards;

  3. Recommending security improvements to minimize incidents;

  4. Proposing improvements to the previous three phases of the incident response plan.

Reaching Out for Help for Your Incident Response Plan

So, you know how important an incident response plan is – but how do you know if yours is really as thorough as it should be? After all, there are an awful lot of factors that come into play, and it’s certainly not easy to cover them all.

Fortunately, it’s not a plan you need to create on your own. Help is always within reach.

Blue Bastion, along with our networking division Ideal Integrations, can provide you the peace of mind and security you’re looking for.

We provide our customers access to an expert team of cybersecurity professionals to help you respond to any security incidents, big or small. And, our team closely follows the methodology outlined in the NIST framework as we work to recover affected systems and applications.

We’ll work with you to develop and test incident response procedures, and implement them if needed. We’ll get your systems back up and running quickly, and provide incite on how you can limit incidents in the future.

Our Incident Response Team gives your company the resources and confidence you need, without the expense of maintaining an in-house group of experts.

Connect with us today, at 412-349-6680, or fill out the form below, and discover how our incident response solution can protect and restore your critical systems whenever you need.

And, as always, stay vigilant!

Secure Your Business With Blue Bastion - Contact Us Today!