Incident Response Plan

Owned by Patrick Jähnichen (Unlicensed)

Last updated: Jan 10, 2022 by Carlos de las Cuevas Otero (Unlicensed)

2 min read

The Incident Response Plan lays down a set of actionable steps in case of the encounter of a cyber-attack and/or possible data security violation.

1. Preparation

instruction of employees about general behaviour in terms of preventing attacks and data security violations
instruction of employees about how to act and react in cases of incidents
development of training scenarios
evaluation and optimization of the response plans, based on training scenarios
keeping all technical systems updated and patched to the most current releases

2. Identification

identify potential cyber-attacks or data security violations
keep track of signs/symptoms to start the incident response procedures (e.g. logins at unexpected times or from unexpected locations, external information in case of data breaches etc.)
answer the following Data Breach Registration Form: https://docs.google.com/spreadsheets/d/1ebellVqEob6GZPTE982pdXcpk6ZgQLRsunvtWoTii7Q/edit?usp=sharing

3. Containment

contain the attack/violation and prevent that additional areas/systems are affected
secure production system efficacy on highest possible plateau
secure information that may lead to identifying the responsible party and root cause
make security backups of all affected systems for later inspection and analysis, internally and/or externally
inform all affected staff and third parties as applicable and agreed in the according data processing agreements

4. Elimination

identify the root cause
eliminate the root cause
remove affected corrupted files (if applicable)
confirm that security patches/updates are at most current release
make affected systems more robust against the identified attack/fix data processing procedure to eliminate data security violation

5. Recovery

confirm that all affected systems have been purged of any malicious code/malware etc.
confirm that all entry points of an identified attack have been closed
confirm that any identified data security violation is impossible
bring affected systems back to ready-for-production mode and go live again

6. Retrospect

structured after-incident-meeting with all involved parties
collection and documentation of insights won during the incident
review of Incident Response Plan and extension/optimization where applicable
review of Incident Response team effort, align communication processes if necessary