How can you update an incident response plan based on risk management?

An incident response plan (IRP) is a set of procedures and guidelines that help an organization prepare for, detect, contain, analyze, and recover from cyberattacks. However, an IRP is not a static document that can be created once and forgotten. It needs to be updated regularly based on the changing threat landscape, the evolving business objectives, and the lessons learned from previous incidents. One of the key factors that should inform the IRP update process is risk management. Risk management is the process of identifying, assessing, and prioritizing the risks that an organization faces, and implementing appropriate controls and mitigation strategies to reduce their impact and likelihood. In this article, you will learn how you can update your IRP based on risk management, and what steps you need to take to ensure your plan is effective and aligned with your business goals.

1 Identify your assets and threats

The first step to update your IRP based on risk management is to identify your assets and threats. Your assets are the resources, data, systems, and processes that are critical for your organization's operations and reputation. Your threats are the potential sources of harm or disruption that could compromise your assets, such as hackers, malware, insiders, natural disasters, or human errors. You need to have a clear and comprehensive inventory of your assets and threats, and categorize them according to their value, sensitivity, and exposure. This will help you prioritize your protection and response efforts, and allocate your resources accordingly.

Add your perspective

Christian Borst

Building resilience in a digital world | Executive Advisor | CTO, CSO, CISO
Report contribution
I have seen and listen too many times to people that put a lot of emphasize on an accurate and most comprehensive asset (and threat) inventory. While it holds true that you can only manage/protect what you know, you have to accept that you will always only be ever getting to an approximation. Why? Because it is per definition a moving target, as your business and the world keeps on turning. Applying an 80/20 approach, striving to get close to your 100%, will enable you to provide a sound basis for an comprehensive risk management approach. Don’t get stuck in chasing the holy grail.

Like
Jason Lopez

IT/Cybersecurity Professional | CompTIA Security+
Report contribution
In discussions, some stress perfect asset and threat inventories for cybersecurity. While knowing what to protect is crucial, perfection here is like chasing a moving target. The digital world evolves; assets and threats change constantly. Instead of perfection, focus on building a strong and adaptable foundation, like a reliable compass for the journey. Be flexible in the dynamic cybersecurity landscape without chasing an unattainable ideal.

Like

2 Assess your risks and vulnerabilities

The next step to update your IRP based on risk management is to assess your risks and vulnerabilities. Your risks are the combination of the likelihood and the impact of a threat exploiting a vulnerability in your assets. Your vulnerabilities are the weaknesses or gaps in your security posture that could be exploited by a threat. You need to conduct a risk assessment to quantify and qualify your risks, and identify the most significant ones that require immediate attention. You also need to conduct a vulnerability assessment to scan and test your assets for any flaws or exposures that could be exploited by a threat. You need to document your findings and recommendations, and communicate them to the relevant stakeholders.

Add your perspective

Ryan Soper

Your Partner in Creating Safe and Successful Events, Productions and much more! || MEDIREK.CO.UK
Report contribution
It's important when conducting Risk Assessments to consider a range of perspectives. When referring to health and safety RA, you often focus on the 'common man' with no additional awareness or training to prevent injury or incident. This can be applied in this context too, starting from the bottom of the most basic things such as somebody physically breaking in and stealing documentation, through to more advanced areas you may want to seek technical consultancy on such as software or hardware vulnerabilities and the result of harware or software failures. Starting from the ground up will seem arduous, but you'll end up with a much more comprehensive RA.

Like
Christian Borst

Building resilience in a digital world | Executive Advisor | CTO, CSO, CISO
Report contribution
A sound and comprehensive approach to assessing vulnerabilities puts an emphasize on testing people, processes and technology. I personally favor regular attack exercises that not only identify vulnerabilities, but also test the defense processes at the same time.

Like

3 Update your controls and mitigation strategies

The third step to update your IRP based on risk management is to update your controls and mitigation strategies. Your controls are the measures that you implement to prevent, detect, or respond to a threat, such as policies, procedures, tools, or training. Your mitigation strategies are the actions that you take to reduce the impact or likelihood of a risk, such as backup, recovery, or contingency plans. You need to review your existing controls and mitigation strategies, and evaluate their effectiveness and efficiency. You also need to identify any gaps or opportunities for improvement, and implement new or enhanced controls and mitigation strategies based on your risk assessment and vulnerability assessment results. You need to document your changes and updates, and test and validate them regularly.

Add your perspective

Ryan Soper

Your Partner in Creating Safe and Successful Events, Productions and much more! || MEDIREK.CO.UK
Report contribution
An important point to remember is that not all risk can be removed, and indeed, not all risk can be reduced. The policing sector often deal with risk by virtue of Remove, Reduce, Accept. I.E. Forumulate controls that effectively eradicate the risk, if thats not possible, do all you can to reduce that risk to a minimum (most controls/mitigations fall into this category) and then finally, if neither are possible, and the activity is still necessary, then you accept the risk and mitigate against the potential fallout that will occur if the worst happens.

Like

4 Update your roles and responsibilities

The fourth step to update your IRP based on risk management is to update your roles and responsibilities. Your roles and responsibilities are the tasks and duties that each member of your incident response team (IRT) and other stakeholders have to perform before, during, and after an incident. You need to define and assign your roles and responsibilities based on your organizational structure, skills, and resources. You also need to update your contact information, escalation procedures, and communication channels. You need to document your roles and responsibilities, and train and educate your team and stakeholders on their expectations and obligations.

Add your perspective

Christian Borst

Building resilience in a digital world | Executive Advisor | CTO, CSO, CISO
Report contribution
And keep in mind that in a cyber incident, information that we usually rely on may not be available any longer. E.g. ensuring relevant contact information is available outside a digital corporate directory helps to establish communication. Following the same principle, key documentation & procedures should be kept available as required, too.

Like

5 Update your incident scenarios and response procedures

The fifth step to update your IRP based on risk management is to update your incident scenarios and response procedures. Your incident scenarios are the hypothetical situations that could occur based on your threat profile, risk level, and asset value. Your response procedures are the specific steps that you follow to handle each incident scenario, such as identification, containment, analysis, eradication, recovery, and reporting. You need to update your incident scenarios and response procedures based on your risk assessment and vulnerability assessment results, and your updated controls and mitigation strategies. You also need to consider any changes in your business objectives, regulatory requirements, or industry standards. You need to document your incident scenarios and response procedures, and test and exercise them regularly.

Add your perspective

Lauren Wilson

Senior Leader in Cyber Incident Management
Report contribution
Identifying a relevant and threat specific scenario will help provide targeted testing of the newly implemented controls. Each organisation will face an ever evolving threat landscape, with threat actors specifically equipped to target their sector. Using threat intelligence reports detailing recent TTPs, the organisation will be able to focus on the most likely attack vector and exercise these controls to prepare their IRPs.

Like

6 Update your lessons learned and feedback mechanisms

The sixth step to update your IRP based on risk management is to update your lessons learned and feedback mechanisms. Your lessons learned are the insights and best practices that you gain from reviewing and evaluating your incident response performance, such as what worked well, what did not work well, and what can be improved. Your feedback mechanisms are the tools and methods that you use to collect and analyze data and information from your incident response activities, such as metrics, surveys, reports, or audits. You need to update your lessons learned and feedback mechanisms based on your incident response outcomes, and your updated roles and responsibilities. You also need to incorporate any suggestions or recommendations from your team, stakeholders, or external parties. You need to document your lessons learned and feedback mechanisms, and use them to inform your future IRP updates.

Add your perspective

Christian Borst

Building resilience in a digital world | Executive Advisor | CTO, CSO, CISO
Report contribution
Think about a continuous improvement cycle and include lessons learnt in all activities. This will ensure regular reviews and updates of all your resources as a standard operational activity. Use dynamic content management systems (e.g. Wikis) rather than large static documents like MS Office or PDF files to facilitate such a process.

Like

7 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

Add your perspective

How can you update an incident response plan based on risk management?

1

2

3

4

5

6

7

1 Identify your assets and threats

2 Assess your risks and vulnerabilities

3 Update your controls and mitigation strategies

4 Update your roles and responsibilities

5 Update your incident scenarios and response procedures

6 Update your lessons learned and feedback mechanisms

7 Here’s what else to consider

Incident Response

Rate this article

Thanks for your feedback

More articles on Incident Response

More relevant reading