This is one of the 52 terms in The Language of Cybersecurity published by XML Press in 2018 and the contributor for this term is M.K. Palmore.

What is it?

A comprehensive, step-by-step series of actions to be followed by an organization’s computer security incident response team (CSIRT) and business operations personnel following a verified cybersecurity incident to reduce the overall impact of the incident.

Why is it important?

When properly implemented, an incident response plan can help ensure an effective response to security incidents and help mitigate the effects of a potentially serious event. The presence of a well-rehearsed plan has proven to reduce the financial impact of security incidents.

Why does a business professional need to know this?

An incident response plan serves as a cornerstone to effective mitigation and remediation following a breach or other information security (InfoSec) incident. Full implementation, practice, and awareness of the plan helps reduce response and recovery times following an incident. The plan provides for pre-breach practice or table-top sessions and outlines the roles and responsibilities of incident handlers and business operations personnel in responding to a security incident.

An incident response plan serves as a major component of the preparation, identification, containment, eradication, recovery, and lessons-learned cycle of incident handling procedures. It can also serve as a vital component of business continuity and disaster response planning. And because the plan is a living document, it can be updated to ensure proper response and alignment with the changing needs of the business.

The incident response plan complements the business continuity plan. The business continuity plan focuses on keeping the business running, while the incident response plan focuses on the attack itself and the company’s response. Both are critical to building a resilient organization.

In addition to InfoSec units, others within non-technical business units have responsibilities following an incident. These departments include business operations, human resources, legal, communications/PR, and finance. Responsibility for developing the incident response plan falls under the Chief Information Security Officer (CISO) or a duly nominated representative, most likely the leader of the CSIRT.

Failure to develop and implement a plan has historically resulted in high-profile security failures in both the private and public sectors. An inadequate response to a high-profile breach or incident usually indicates that there was a poorly executed or ill-conceived incident response plan.