What it is
An incident response plan is a step-by-step guide that documents who will do what if a cyber security incident occurs.
Having a plan in place before an incident occurs will help you take control of the situation, navigate your way through and reduce the impact on your business.
How it works
Your plan will depend on the size, scale and operation of your business, but there are some standard elements to consider that will help in recovery.
How you want to document or format your plan is up to you. What’s most important is that:
- it’s written down in hard copy and everyone knows where it is
- it’s easy to access
- it’s short and clear enough to read quickly and easily
- staff are familiar with it before they need to use it.
It’s likely that people who need to use the plan will be under pressure, so it’s important that the language is clear and simple and the steps are easy to follow.
Creating an incident response plan
Take some time to go through a cyber security risk assessment for your business. This process will help you identify the specific risks that may apply to your business, and what to put in place to reduce the chance of an event occurring.
1. Identifying and reporting incidents
Outline a process to help your staff identify and report suspicious or unusual activity that might indicate a cyber security incident has occurred.
It should clearly state:
- what you want staff members to do if they suspect an incident has occurred, and who they should report it to
- what to do if a staff member receives a report from a customer about something unusual on your website or with a software product
- how customers should let you know if they notice something unusual on your website – for example, you could provide a contact email address.
You run an online retail store and one of your employees notices suspicious activity on the website – unusual images displaying or a problem with the payment portal. The reporting process might be:
- Employee reports issue to the manager.
- Manager contacts technical support.
- Manager reports the incident to CERT NZ.