VIEW 23 The incident response plan

23. The incident response plan

Let’s look in a little more detail at a typical incident response plan, as illustrated in the diagram to the right. It is divided into several different stages such as detect, assess, isolate, recover and post mortem. At each of these stages the following questions need to be addressed:

Who needs to be involved as part of the decision-making team?
How will the necessary steps be executed?
Where will these activities take place?
When and in what sequence will they happen?

23. The incident response plan

Why do I need one?
An incident response plan brings clarity during times of confusion by providing pre-prepared guidance and instruction. It clearly defines the roles of the people on the response team and spells out in advance a communications plan describing who will inform whom of what, and in what order.

When monitoring systems, a substantial number of false positives should be expected. If there are no false positives, in other words no suspect events that turn out to be harmless, there is something wrong with your level of monitoring. Your employees may not be informing you of suspicious events.

The success of the kaizen system which propelled Japanese car manufacturers to world dominance was based around giving production line workers the authority to hit the stop button if they saw something wrong. Pushing this authority low down the corporate hierarchy was counterintuitive but resulted in significant improvements in quality and efficiency. In a similar vein, in an incident response plan, the decision as to who has the authority to hit the stop button, so triggering the active incident response process, is a key one.

You can see that each stage in the incident response process has some key performance indicators (KPIs) that should be recorded and reviewed on a regular basis. As mentioned previously, false positives are very instructive. Other useful ways of quantifying performance are measures of the mean time to detection (MTTD) and mean time to resolve (MTTR) which we return to later (View #27).

One area that is often overlooked is application of lessons learned. Remedial actions are often listed as desirable in the post mortem phase, but too often these are never applied or followed up on. Time and budget need to be allocated to fix the root causes of the problems.

23. The incident response plan