How to Draft an Incident Response Policy: What to Include


If your company were to be hit by a cyber attack, do you have an incident response plan in place?

Would all members in your organisation know how to respond and what protocols to follow?

Or would this create panic as everyone scrambles to get the situation under control?

Unfortunately with the amount of information now living online, cyber attacks are inevitable – even for those companies who believe their system is impenetrable.

And whilst no oragnisation can stop a cyber attack from happening, you can put your business in the best possible position to defend itself.

By having an incident response plan, your team will fully understand their roles and responsibilities in the event of a real-world attack, and will be able to control the situation much easier.

Instead of panicking and making irrational decisions, an incident response plan ensures everyone follows the right procedure so that the situation can be resolved as quickly as possible.

If you’ve never written an incident response plan then it might sound quite daunting.

But, that’s what we’re here for. At TLR we’re experts in cybersecurity and we want to eliminate the stigma that surrounds this subject.

That’s why we’re breaking down the process of writing an incident response plan, so that you can feel confident when it comes to writing your own.

So, let’s get started.

What Is An Incident Response Policy?

As we’ve alluded to in the intro, an incident response plan outlines the way your business should react in the event of a real-life cyber attack.

Essentially, it is a set of tools and procedures that your security team can use to identify, eliminate, and recover from cyber security threats.

The aim of this plan is to help your team respond efficiently and quickly against any type of external threat, so that chaos does not unfold.

In turn, this minimises damage caused by cyber attacks, including data loss, abuse of resources, and the loss of customer trust.

Retaining the trust of your customers is key, otherwise anarchy could break out.

Imagine finding out that your bank had suffered a major cyber security breach and no one in the organisation knew what to do? Instead they were scrambling around, trying to figure it out as the situation unfolded.

The bank will have lots of your data on file including your bank details, passwords, email address, and contact information – all of which could be stolen by a cybercriminal.

Therefore a business, you need to be aware of your reputation and send a message to customers that you are in control.

man holding dollars

Why Is An Incident Response Policy Important?

Apart from maintaining customer trust, an incident response plan is important for a whole host of reasons – one of the main ones being financial loss.

The Ponemon Institute’s Cost of Cyber Crime Study showed that the typical organisation experiences an average of 145 security incidents per year and spends $13 million annually a year to defend itself.

That’s a lot of money which could be better spent in other areas of your business.

Having a robust incident response policy can significantly reduce these costs by keeping your business one step ahead of cyber criminals.

Going back to our earlier point about customer trust, if a security breach is not handled correctly, the company risks losing the confidence of its investors and shareholders too.

That’s a big price to pay for a lack of preparation and planning.

Additional benefits of incident response plans include:

  • Data protection — Securing backups, ensuring sufficient identity and access management, and timely patching of any network vulnerabilities.
  • Reputation reinforcement — Effective incident response is proof of an organisation’s commitment to security and privacy, and can save a company’s reputation in the event of a breach.
  • Cost reduction — According to a study by IBM, the average cost of a breach is $4.35 million. However, incident response planning can massively reduce this cost by limiting the damage caused by a cyber attack.

Phases of An Incident Response Policy

There are six steps that should be taken by the Incident Response Team so that they can effectively manage security incidents. These are outlined below:

Preparation phase

This involves performing a risk assessment and prioritising security issues to see which are the most sensitive assets, and which critical security incidents the team should concentrate on.

You then need to devise a communication plan, outlining roles, responsibilities, and processes, and recruit members to the Cyber Incident Response Team (CIRT).

Identification phase

Your team should be able to detect any suspicious behaviour or deviations from normal operations, and when an incident is discovered, collect additional evidence, decide on the severity of the incident, and document the “Who, What, Where, Why, and How”.

Containment phase

Once the team has identified an incident, their primary goal is to contain the incident and prevent any further damage to your security network. This involves:

  • Short-term containment — for example, isolating network segments or taking down infected production servers and handing failover.
  • Long-term containment — applying temporary fixes to affected systems to allow them to be used in production, while rebuilding other clean systems.

Eradication phase

The team is now tasked with identifying the root cause of the cyber attack, and removing any possible cyber security threats to prevent similar attacks happening again in the future. For example, if a network vulnerability was exploited, it should be patched immediately.

Recovery phase

This involves the team bringing affected production systems back online in a very careful way, to ensure another incident doesn’t happen. Important decisions at this stage include deciding on a time and date to restore operations, how to verify that affected systems are back up and running as normal, and monitoring to ensure activity is how it should be.

Post-incident phase

This phase should be conducted within a two week period of the incident taking place to ensure all information is still fresh in your team’s head. The idea behind the post-incident phase is to document the incident, investigate further to identify its full scope, understand where the response was effective, and outline any areas that need improvement.

man writing in notebook

Elements of An Incident Response Policy

When it comes to actually writing your incident response plan, there are some general recommendations to follow.

This ensures you’ve covered all bases, and means all members of your team have a comprehensive plan to follow in case of a real-life attack.

Assemble your incident response team

A cybersecurity incident doesn’t affect just your IT infrastructure – it affects the entire company. That’s why you need to include at least one dedicated person from each department you identify as crucial when dealing with the aftermath of the attack.

Identify vulnerabilities

Regardless of how good your protective cybersecurity measures are, you need to assume there are some holes in your system which could be exploited by cybercriminals. As a result, specifying the most critical assets will enable the response team to prioritise their efforts in the event of an attack.

Identify external cyber security experts

Even if you have your own in-house IT team, the scale of the security incident might be so vast that you need an external expert to help audit and remedy the situation. So, do your research to find a team who can help and use their services.

Create a response plan checklist

Based on the six phases outlined above (preparation, identification, containment, eradication, recovery, and post-incident) you need to create an incident response plan checklist.

It’s vital you go through each of these stages, even though there can be some overlap.

Design a communications strategy

This is crucial in the aftermath of the cyber attack as this is the part that is going to be most visible to the public and your clients.

When devising your communications strategy, make sure to consider the following:

  • Who do you need to notify?
  • What public or government institutions do you need to contact?
  • What is your deadline to report the incident?

If the cyber attack was serious and was reported on the news, you need to make a public statement. However, these situations need to be managed very carefully as they can lead to a huge amount of reputational damage if they are handled incorrectly.

Top Tips on Drafting An Incident Response Policy

Make it flexible

An incident response policy should be checked on a regular basis to ensure that the document is up to date, accurate, and responds to the newest trends in cybersecurity.

Also, the definitions in the document should be broad enough to cover all types of incident situations so that if the document needs to address new security challenges, you will not need to change the definitions.

This keeps everything accurate whilst also saving businesses time.

Ensure cooperation between departments and staff

A successful incident response policy relies on all departments working together to ensure everyone fully understands the plan.

Furthermore, many cyber security incidents require a range of teams on hand, so it’s important everyone understands their individual roles and responsibilities.

For instance, handling a breach that has resulted in a loss of credit card data may require security experts (for addressing software issues), but also PR specialists (for drafting a public disclosure of the incident), as well as customer support staff (who will discuss the breach with customers.)

This should be initiated during the phase of policy planning, and not only during its implementation.

Assess performance

The effectiveness of an incident response plan can be measured by using both quantitative and qualitative performance indicators.

For example, the time required for detecting, handling, investigating, and reporting an incident can be used as a quantitative indicator.

Similarly, the feedback provided by the response team can serve as a qualitative indicator.

Don’t forget testing

You should always test your incident response plan instead of waiting for a real-life attack to happen first.

By simulating a cyber security breach, it not only allows you to not only test the effectiveness of your incident response plan but also allows you to identify any areas that require improvement.

At TLR, we strongly believe that testing your security system is one of the most effective ways of strengthening it. By simulating cyber attacks, you can identify any existing holes and weaknesses in your current system which could be leaving you vulnerable to cyber criminals.

That’s we design, build, and run comprehensive themed Kinetic Cyber Experiences to broaden people’s technical knowledge through fun and relatable real world exercises.

By conducting cyber war games, you can engage your team in cyber security through real world simulated attacks on critical infrastructure and networks.

To find out more simply get in touch with our team.

team members collaborating in an office

How to Draft an Incident Response Policy: What to Include

Drafting an incident response plan ensures your business, and those working in it, fully understand how to respond in the event of a real-life attack.

Instead of sitting back and waiting for something to happen, you need to devise a comprehensive plan that all team members are on board with.

This reduces the likelihood of panic breaking out which could lead to heavy financial losses and reputational damage, the longer the situation goes unresolved

However, by devising and testing your incident response plan on a regular basis you can ensure your business is in the best possible position to defend itself against cyber criminals.

At TLR, we are committed to making you cyber offensive by equipping you and your team with the tools you need. From simulating real-world cyber attacks through our cyber war games to periodically scanning your infrastructure through our Cavalry solution, our team of experts keep you one step ahead. Get in touch to find out more or to chat through your requirements.

Become cyber resilient

Get in touch today to see how we can make you more cyber resilient. Empowering you to lead from the front.

Written by

Dave Roberts