Running head: Incident Response Plan Responsibility Chart1

Incident Response Plan Responsibility Chart

Justin R. Cook

University of San Diego, CSOL-590

INCIDENT RESPONSE PLAN RESPONSIBILITY CHART 2

An incident response plan is a documented plan designed to guide an organization during

a cybersecurity incident. Cybersecurity incidents include events such as data breaches, cyber-

attacks, malware infections, etc. When an incident occurs, having a robust plan will ensure that

the organization takes the correct steps during the incident. An incident response plan is

composed of the following six different phases:

1. Preparation

This phase is often deemed as the most important part of an IR plan. Ensuring that

employees are properly trained and fully understand their roles in the IR plan will enable

them to properly perform their duties during an incident. The more trained that

employees are, the less likely that critical errors will be made during an incident (Ellis,

n.d.). Some techniques that can be used to prepare are mock breaches and regular

meetings to go over the plan.

2. Identification

This phase of the IR plan is when an incident first occurs. When a potential incident

happens, it must be evaluated and addressed to ensure that it is an incident. IT

departments often employ monitoring software to analyze the state of the network and

devices, these can be configured to alert the staff when something unusual occurs. The

identification phase is when staff must gather all of the information about the incident as

they can.

3. Containment

Once the incident is identified and its details are learned, steps must be taken to isolate

every device that is infected. Isolating infected devices prevents other devices or services

from being affected too. The simplest way to isolate devices is to disconnect them from
INCIDENT RESPONSE PLAN RESPONSIBILITY CHART 3

the network. It is important to have both short-term and long-term containment strategies

in place (Ellis, n.d.).

4. Eradication

Once the issue is contained it is then time to learn and eliminate the root cause of the

incident. This can include tasks such as installing security updates or removing malware

from infected devices. It is important to do a thorough job during this phase because if

the root cause is not correctly eliminated, the issue could reoccur.

5. Recovery

After the issue has been eradicated from all systems, the next step is to return to normal

operations. During this phase, all systems that were in isolation are returned to the

network and all services started again.

6. Lessons Learned

The primary focus of the first five steps is to work through the incident and securely

return to normalcy. The final step is reflective and involves holding a meeting with the

incident response team to note down what was learned from the incident (Ellis, n.d.).

Everything must be documented and archived so it can be referenced later. Analyzing

what happened and what was learned enables the organization to update what is needed

and be better prepared for the potential of future cybersecurity incidents.

To develop a robust incident response plan, an incident response team must be staffed. The

type of roles will vary across organizations and industries. For example, a large corporation may

have public relations or attorneys as members of the IR team that a small startup company would

not need. In general, the incident response team should be made up of people across different
 INCIDENT RESPONSE PLAN RESPONSIBILITY CHART 4

disciplines to handle the various issues that arise from an incident (Kral, 2011). An example of

four roles of members of an incident response team are team lead, technical staff, public

relations, and legal.

Phases & Team Lead Technical Staff Public Relations Legal

Tasks
Preparation
IR team The team lead should Voice any concerns Communicate with Provide updates for
meetings ensure that regular that could hinder the team on the ways any new laws or
meetings are held and performance during that public relations regulations that the
that all members of the an incident. The will impact the IR organization must
IR team understand technical team plan. adhere to.
their roles and should make sure
responsibilities. they understand
their
responsibilities and
be prepared to carry
them out.
Mock drill Lead a mock drill to Go through all Go through all Go through all stages
simulate what would stages of the IR stages of the IR plan of the IR plan and
happen during an actual plan and ensure all and ensure all other ensure all other
cybersecurity incident. other members are members are on the members are on the
on the same page. same page. same page.
Identification
Discovery of Be aware that a Identify what has Be aware that a Be aware that a
incident potential incident has occurred and the potential incident potential incident has
occurred. Review all overall situation of has occurred. occurred. Review all
relevant information what happened. Review all relevant relevant information
provided by the Communicate information provided by the
technical staff. findings to the rest provided by the technical staff.
of the team. technical staff.
Classification Analyze all information Provide all In direct In direct
of event provided by the information about communication with communication with
technical staff and the event to other other team members, other team members,
officially classify the team members to be prepared to start be prepared to start
event. If the incident is review. Provide the the containment the containment
serious enough, initiate team lead with what phase of the IR plan. phase of the IR plan.
the start of the incident is the likely
response plan. classification of the
event.
Containment
Short-term In close Identify and isolate Inform other team Document steps
 INCIDENT RESPONSE PLAN RESPONSIBILITY CHART 5

containment communication with all infected devices. members what being carried out by
the technical staff. Isolation performed information can be technical staff and
Ensure that the short- by removing the communicated to analyze any potential
term containment devices from the which parties. legal issues that may
strategy is carried out network. Stop Make a public arise.
correctly. services running on announcement if key
Inform executive staff infected devices or services are affected.
what occurred and the transfer to a backup
scope of the incident. system to ensure
the continuity of
operations.
Long-term In close Affected systems Communicate what Document steps
containment communication with can be temporarily occurred to other being carried out by
the technical staff. fixed to allow them members of the technical staff and
Ensure that the short- to be used in organization as analyze any potential
term containment production as needed. legal issues that may
strategy is carried out needed (Kral, arise.
correctly. 2011).
Eradication
Learn Root In close Perform all tasks Inform the public of Analyze the root
Cause communication with required to identify what occurred and cause and check if
the technical staff. the root cause of the reason why. any laws or
Ensure that the root the incident. regulations were
cause is properly broken.
identified.
Fix Root In close Fix whatever Analyzes the root Ensure that the root
Cause communication with allowed the cause and how it cause is removed to
the technical staff. incident to happen. was fixed. Prepares limit any further
Ensure that the root This could include a strategy to inform liability of the
cause is properly applying a security the public of what organization.
eradicated. patch/update, happened.
closing off
backdoors,
removing malware,
etc.
Recovery
Plan for Work with technical Prepare a strategy Prepares a strategy Review the strategy
transition to staff to transition all to transition all to inform the public to transition and
normal services back to devices and of the organization’s verify that it meets all
operations normal. services back to plan to transfer to regulatory
normal. normal operations. requirements.

Transition to Ensure that the Move all isolated Make a public Ensure that the
normal technical staff devices back online announcement that transition is properly
operations transitions all services and transfer services are performed.
and devices back to services back to the transitioning back to
 INCIDENT RESPONSE PLAN RESPONSIBILITY CHART 6

normal. normal devices as normal.

needed.
Test all services and
devices to ensure
they are running
properly.
Lessons
Learned
Post Incident Lead a post incident Inform all members Inform the team Discuss with the team
Meeting meeting to review what in detail of what members what any legal issues that
occurred during the was done to contain information that they could arise following
incident. and eradicate the are allowed to the incident.
root cause of the communicate.
incident. Discuss
the strategy used to
transfer operations
back to normal.
Updating IR Communicate any Look for ways that Look for any ways Look for ways the IR
Plan issues that happened the IR plan could that the IR plan plan put the
during the plan and be modified to limit could be modified to organization at legal
update the plan based the damage of a limit damage to the risk. Recommend an
on recommendations cyber incident. organization. update plan if needed.
received from other Recommend an Recommend an
team members. update if needed. update if needed.
INCIDENT RESPONSE PLAN RESPONSIBILITY CHART 7

References

Ellis, D. (n.d.). 6 Phases in the Incident Response Plan. Retrieved May 18, 2020, from

https://www.securitymetrics.com/blog/6-phases-incident-response-plan

Kral, P. (2011). The incident handler’s handbook. SANS Institute. Retrieved from

https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901