Be prepared: Why you need an incident response policy


Smart security teams have updated incident response plans in place before a security breach happens.

Companies that don’t take the time to develop a security incident response plan pay a high price when the inevitable breach happens. 

According to IBM, organizations with incident response teams and plans spend about $1.2 million less on data breaches than companies without preparations in place. 

However, in IBM’s recent report “The 2020 Cyber Resilient Organization Study,” the company found that about 51% of companies have only an informal response plan that is often applied inconsistently.

Building an incident response plan and testing it is an investment of time and effort that will reduce stress and costs. 

Enjoying this article?

Download this article and thousands of whitepapers and ebooks from our Premium library. Enjoy expert IT analyst briefings and access to the top IT professionals, all in an ad-free experience.

Join Premium Today

SEE: Incident response policy (TechRepublic Premium)

What to include in a incident response plan

IBM security experts recommend that security teams take time to understand the top threats in their industries and prepare detailed response plans to a specific kind of attack.

Establishing a clear communication strategy is a must for any incident response policy. Daniel Eliot, director of education and strategic initiatives at the National Cyber Security Alliance (NCSA), said clear and comprehensive communication should be a top priority during all security breaches.


“Without a clearly articulated chain of command and both an internal and external communications strategy that brings all the right people to the table, the quality of the response gets diminished,” he said.

Jerry Ray, chief operations officer at SecureAge, said incident response plans need to take into account how to allocate resources depending on the criticality of the infrastructure components affected by the breach. This could mean prioritizing immediate remediation of the attack or restoration of a mission critical server or forensic analysis of the mechanism of the attack. 

“The order and allocation will be entirely dependent on the attack vector, the system(s) attacked, the data exfiltrated, the IT staff available either in-house or on contract, and the general industry or business line of the victim,” he said.

SEE: Incident response policy (TechRepublic Premium)

Prepare for the aftermath

Often incident response policies focus on what to do before and during a breach, but it should also include steps for what to do after an incident.

For example, Eliot said that documentation often gets neglected in the aftermath of a breach/.

“Document the lessons learned, and then develop and implement a strategy to reinforce these learnings across the enterprise,” he said. “If you don’t learn from your mistakes, you’re bound to repeat them.”

Eliot said companies recovering from a security breach should answer these questions:

  • What went wrong in our response? 
  • What went right in our response? 

  • How can we reduce the chances of this happening again? 

  • How do you allocate resources to allow for a quick reaction?

Ray added that another important follow-up task is to do a total review of all the tools, policies, and settings within the system that suffered the breach. 

“Typically, the single point of failure is somehow revisited and shored up or patched as if that was the only weakness,” he said. “In reality, the entire security blanket needs to be unwoven, as the ineffective components may have led to or created that point of vulnerability, which on its own may not have been vulnerable.”

SEE: Incident response policy (TechRepublic Premium)

Eliot also recommended that IT teams loop in legal counsel after an attack to understand any applicable reporting and notification responsibilities under national and international data breach laws.

TechRepublic Premium’s Incident response policy will help your company set a plan for immediate action as well as develop follow-up tasks after a security breach. The policy includes guidance on assembling a response team and the responsibilities of every person on that team.

This Incident response policy gives you a comprehensive start on a plan and allows you to customize it to fit your company’s particular needs.

Incident response policy

  • Provided by
    TechRepublic Premium
  • Published
    June 28, 2020
  • Topic
    TechRepublic Premium
  • Format

Every enterprise needs to establish a plan of action to assess and then recover from unauthorized access to its network. This policy provides a foundation from which to start building your specific procedures.

From the policy:

Policy details

Whether initiated with criminal intent or not, unauthorized access to an enterprise network is an all too common occurrence. Although network intrusion and protection hardware and software systems can prevent or mitigate many of these incidents, even the best security will suffer a breach at some point. When an intrusion is detected, the incident response team must act quickly to protect the integrity of the enterprise’s data according to the procedures outlined in this policy.


The Incident Response Policy applies to all employees, executives, contractors, and vendors with access to any part of the information technology network of this enterprise, regardless of role. Any intrusion, no matter how it’s discovered, must be reported under the procedures outlined by this policy.

People Also Downloaded