All Hands on Deck: Staff and Stakeholder Involvement in Incident Response Planning
When creating an incident response plan, designating processes, roles and responsibilities for each phase of the incident response process is critical to ensuring ease and speed of recovery, as well as continuity of business operations. The SANS Institute names six key phases in the incident response process, each of which should be covered in detail in a well-designed plan:
- Preparation: Prepare staff to handle future incidents.
- Identification: Confirm the existence of an incident.
- Containment: Isolate affected systems and limit further damage to the infrastructure.
- Eradication: Determine and remove the root cause of the incident.
- Recovery: Remediate affected systems and return them to the environment.
- Lessons Learned: Conduct analyses with the goal of preventing future incidents by improving controls, policies and processes.
However, even plans that cover all six phases in depth may lack employee participation, knowledge and buy-in, all of which are critical when it comes to enforcing and executing incident response processes. Involving personnel from multiple divisions and departments, not just information technology, in the initial phase of incident response plan development is wise. This includes business managers, legal counsel, human resources and public relations staff, security groups and auditors. Effective incident response depends on cooperation between personnel in various departments and business units. Managers and key staff members from these departments should weigh in on their incident response needs, roles, responsibilities and overall strategy. They should also be given an opportunity to provide feedback as policies and procedures are further developed.
After an incident, stakeholders and staff with incident response responsibilities should participate in the lessons learned analysis. Reviewing procedures and activities in detail, and how they affected the ease and speed of recovery, will help an organization improve its incident response plan and preparedness for future incidents.