Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

The Incident Response Plan lays down a set of actionable steps in case of the encounter of a cyber-attack and/or possible data security violation.

1. Preparation

  • instruction of employees about general behaviour in terms of preventing attacks and data security violations

  • instruction of employees about how to act and react in cases of incidents

  • development of training scenarios

  • evaluation and optimization of the response plans, based on training scenarios

  • keeping all technical systems updated and patched to the most current releases

2. Identification

  • identify potential cyber-attacks or data security violations

  • keep track of signs/symptoms to start the incident response procedures (e.g. logins at unexpected times or from unexpected locations, external information in case of data breaches etc.)

  • answer the following questions

    1. When did the attack/violation happen?

    2. Who found out about it and how?

    3. Which parts of the system are affected?

    4. Has the cause/vulnerability already been identified?

    5. What are the impacts on the production system?

3. Containment

  • contain the attack/violation and prevent that additional areas/systems are affected

  • secure production system efficacy on highest possible plateau

  • secure information that may lead to identifying the responsible party and root cause

  • make security backups of all affected systems for later inspection and analysis, internally and/or externally

  • inform all affected staff and third parties as applicable and agreed in the according data processing agreements

4. Elimination

  • identify the root cause

  • eliminate the root cause

  • remove affected corrupted files (if applicable)

  • confirm that security patches/updates are at most current release

  • make affected systems more robust against the identified attack/fix data processing procedure to eliminate data security violation

5. Recovery

  • confirm that all affected systems have been purged of any malicious code/malware etc.

  • confirm that all entry points of an identified attack have been closed

  • confirm that any identified data security violation is impossible

  • bring affected systems back to ready-for-production mode and go live again

6. Retrospect

  • structured after-incident-meeting with all involved parties

  • collection and documentation of insights won during the incident

  • review of Incident Response Plan and extension/optimization where applicable

  • review of Incident Response team effort, align communication processes if necessary

  • No labels