Incident response plans (IRPs) and disaster recovery plans (DRPs)
Cybercrimes and security breaches have been running rampant over the past year. It is critical for organizations to introduce strategies that help reduce the likelihood and impact of realized cyber threats. As part of a defense in depth organizations can achieve better security. Having both incident response plans (IRPs) and disaster recovery plans (DRPs) are key components of implementing defense in depth and is paramount to improving all organizations’ ability to respond and recover from cyber incidents.
It is essential to understand some of the key differences between IRPs and DRPs.
What are Incident Response Plans?
An incident response plan is a set of procedures that your organization will follow in the event of a security breach. IRPs should support the organization and be well embedded into organizational policies to ensure that there is a wide reach. Organizations that do not integrate IRPs into policies increase their risk of staff being unable to execute on the documented procedures. Having a well-executed incident response plan provides internal and external stakeholders assurance that your organization is prepared to reduce recovery time objectives (RTOs) thus minimizing the impact of breaches. Organizations should follow well established, well-reputed frameworks when constructing IRPs. Most incident response plans have 6 high-level steps to follow (link):
Preparation includes internal understanding of policies, procedures and technologies. Procedures should include well documented plans, communication templates, documentation, team roles and responsibilities, and access controls. With these components, organizations can validate their plans during training while maintaining readiness to deal with pertinent threat vectors.
It is critical to understand whether an incident has occurred. Various frameworks (SOC 2, ISO 27001, NIST 800-53, etc.) require organizations to implement intrusion detection systems; intrusion detection systems are critical to identifying threats and conducting the follow up steps.
in order to reduce the impact to threats, it is critical to contain them as much as possible. Containment helps minimize the impact of realized threats. Segmentation, and well-implemented access controls are critical to isolation incidents while maintaining integrity and minimizing threats to availability.
Eradication involves the removal of malicious artifacts and restoration of systems affected by security incidents. Planning and documentation of system architecture help the eradication process by informing organizations of the scope of incidents. During the eradication process, organizations must ensure that they are upholding non-repudiation by ensuring a chain of custody and maintaining logs of each of the changes that occur.
This phase helps organizations methodically bring affected systems back into production. During the recovery phase, organizations must ensure that other incidents do not occur. Systems should be tested, monitored, and validated as they move back into production. This is typically a good time to update anti-malware signatures as systems are pre-production. Application performance monitoring tools and anti-malware products should be monitored more closely during recovery periods to ensure that nothing was missed during eradication.
Conduct Lessons Learned
It is vital for organizations to review the IRP and adapt; especially to procedures that were ineffective. An objective play-by-play review should be run by an objective personnel (often an auditor) to recommend areas of improvement to senior management and the ISMS.
What are Disaster Recovery Plans?
Disaster recovery plans address greater questions about people, processes and technology associated with organizations. People and human safety are always the top priority DRPs (link). DRPs focus on the enterprise by paying close attention to immediate response and minimizing overall damage. There are additional details and procedures tied to incident response plans. Most organizations should include the following considerations when building the procedures tied to their plan (link):
The personnel responsible for executing and ensuring the success of the incident response plan. The personnel should also be the people maintaining the wellbeing of the organization’s people throughout the DRP processes.
What are the critical assets for your organization. It is critical to identify assets that are the most important to your organization and be able to quickly identify who is best-equipped to have oversight. Inventories should be documented using business impact analyses (BIAs) criticality to the organization. BIAs help inform priority for recovery and can greatly accelerate identification and response processes.
How you communicate and ensure that your organization has the ability to coordinate chains of events is critical to rapid recovery. It is important to make note of communications channels and to have alternate ones in case the primaries are unavailable. In addition, having communication templates increase recovery times by ensuring that minimal time is spent during escalations.
Ensure to test your controls and processes to ensure that it works against various scenarios. Running tests such as table top exercises or simulations are excellent ways to prepare for disasters.
It is important that your organization identifies deficiencies in the DRP before there is a need to execute it in a real-world scenario. It is important to test your disaster recovery plans at least annually, not just for the previously stated reason, but to also identify areas of improvement in refining your DRP.
The items listed in the DRP steps provide guidance to organizations in mitigating the most significant risks that they face. These may include very impactful shifts that were previously unprecedented spanning entirely remote workforces.
IRP and DRP in Harmony
The more precise and methodical the incident response plan, the better equipped your organization is to recover. Incident response plans describe how organizations respond when incidents occur. It is an inevitable reality that organizations will face incidents that they must address. Seconds make a difference to the degree that organizations are affected. In conjunction with DRPs, organizations can equip themselves by prioritizing and remediating based on objectives that mean the most to the organizations in which they are operating.
As organizations mature and acquire new clients, having Incident Response Plans and Disaster Recovery Plans become critical requirements in doing business with mature, enterprise-level organizations.
It is important to have both in to uphold resilience and provide the necessary levels of assurance to vendors and partners. DRPs and IRPs help organizations recover quickly if implemented properly. Each should be reviewed by senior management and well-embedded into policies and procedures for organizational operations.
There are multiple cyber security firms that can assist if your organization is unsure where to start. It is important that during your search, you consider elements such as referrals and certified staff. IRAP clients can reach out to their IRAP ITA (Industrial Technology Advisor) as your organization may be eligible for a 25 hour cyber security advisory support on this topic.