Incident Management Plan – Should you have one?

For the purpose of this article, a security incident refers to the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. A security incidents also means the loss of data through theft or device misplacement, loss or misplacement of hardcopy documents and misrouting of mail, all of which may have the potential to put data at risk of unauthorized access, use, disclosure, modification or destruction. This definition provides the foundation of a good Incident management program. An incident management program should have the following components.

Defined roles and responsibilities – Defining the roles and responsibilities of everyone on the team that would be involved in responding to an incident is important. Incidents can come in different shapes and sizes, and may sometimes require different responses by different team members. To prepare for the different types of incidents that can occur, teams should conduct tabletop and\or real-world exercises which will allow team members to understand how they should respond to the various incidents that may occur.

Communication – Ensuring an effective plan is a key part of any incident management program. The plan should contain both internal and external contacts. Communicate early. Quickly acknowledge the issue, briefly summarize the known impact, promise further updates and, if you’re able, alleviate any concerns about security or data loss. Team members should remember the following general rules when it comes to communication. Communicate often, Communicate precisely, Stay consistent across channels, and own the problem.

Reporting & Retention – It is important for the end-users of an organization to know and understand how to report an incident to the appropriate individuals responsible for handling incidents. Without this reporting it can be very hard for IT security teams to know certain types of incidents have occurred. Depending on the type of business, there may be timeline requirements to report certain types of security incidents to a client or other governing entity. These kinds of reporting requirements usually specify reporting times once an issue is discovered. Therefore, it is important to always work on your firms ability to detect an issue. Retention of the details of a security incident should be maintained for at least 7 years or longer according to your organization’s retention policy.

Security incident handling is an important aspect of an IT program. It takes work to maintain and can be very detailed. As the world continues to move towards cyber technologies more and more, it is critical that organization’s have an incident management plan.