What is Included in a Cybersecurity Incident Response Plan?

With the threat of cyberattacks increasing, many businesses are focused on implementing Cybersecurity Incident Response Plans (IR Plans) to help prevent and mitigate cyber threats. The purpose of IR Plans is to ensure that businesses have an organizational map for assessing security events in an effective and efficient manner.

What are the key features of a Cybersecurity Incident Response Plan?

Perhaps the most important feature of an IR Plan is the establishment of company-wide roles and responsibilities. This provides an organizational framework that facilitates the spread of information and responses, as well as increasing efficiency. When a data breach occurs, the last thing a business wants to be concerned with is determining who is supposed to do what. A detailed roles and responsibilities outline ensures that the proper individuals will spring into action when expected. While the roles a business implements are determined by a variety of internal and external factors, some key roles that should be considered include: a senior management team involved in critical decisions, an incident manager that is responsible for overseeing the issue, and third-party companies that may assist in the recovery process. 

What is the OODA Loop?

The OODA Loop is a decision-making analysis which, although originally intended for military use, has been adopted by many businesses to train workers on how to properly identify and address critical issues. In the world of cybersecurity, the four components of the OODA Loop – observe, orient, decide, and attack – present an organizational scheme aimed at devoting full attention to the task at hand in a professional and reasonable manner. 

The first stage of the OODA Loop, the observation, is focused on data collection and reconnaissance to evaluate potential threats. When a threat has been detected, this stage assists in determining whether it is a security incident or a false positive. Important considerations that should be made during the observation stage include: who reported the potential incident; what systems or operations have been affected; and how was the incident first discovered?

In the orientation stage, the information collected is analyzed, transforming raw data into vital information. This allows for the formation of hypotheses as to the origins, purposes, and effects of the security incident, and provides an opportunity to perform operations for testing the hypotheses. Importantly, all the information analyzed and tested during this stage should be properly recorded and stored in case it is needed in the future. 

During the decision stage, senior members of an organization synthesize all the information obtained during the observation and orientation stages in order to formulate an appropriate response. The most critical component of this stage is knowing which of the many available options is the one best suited for the current situation. As a result, it is necessary to have a complete understanding of the current issue and carefully analyze all the available options. This stage requires patience and detailed analysis, for selecting the wrong approach may exacerbate the accident. 

The final stage of the OODA Loop is when the response selected in the decision stage is put to action in order to contain and eradicate the threat. Some of the actions that may be taken include: resetting credentials, removing malicious files, and monitoring networks. Importantly, while the action stage is technically the final part of the OODA Loop, it never really ends. Instead, the information and knowledge gained in this stage is analyzed and applied in the other stages when another threat presents itself. 

*Disclaimer: this blog post is not intended to be legal advice. We highly recommend speaking to an attorney if you have any legal concerns. Contacting us through our website does not establish an attorney-client relationship.*