© 2011—2020 by BluTinuity, LLC

How to Build an Effective Security Incident Response Plan

Updated: Mar 6, 2019


A security incident is any event that could disrupt or inhibit standard business activities or services. It is essential to prepare a course of action to follow in the event that an incident as such were to occur in your organization. The following steps will guide you through creating an effective security incident response plan:


1. Complete a Risk Assessment. Identify the areas in your organization that may be the most vulnerable to harm from a security incident. Consider your information’s confidentiality, availability, and integrity. Think about what impacts the incident may have on your brand, operational performance, regulatory compliance, or your financial position.


2. Develop Runbooks. Identify the most likely potential scenarios and develop runbooks with specific action steps for those scenarios. Examples could be ransomware, network intrusion, data loss or breach, unauthorized access, or physical security breach. Consider incident containment, eradication, and recovery for each. These should facilitate rapid response, even if technical resources are unavailable.


3. Prepare a Security Incident Response Team. Implement an internal multi-disciplinary leadership team with officers covering several potentially-affected facets, such as a chief information security officer, chief compliance officer, risk management officer, and other subject matter experts as needed.

● Set up a clear plan and expectations for the team’s method and frequency of communication, including preparing a list of emergency numbers for each member; establishing pre-defined, pre-approved messages; and message initiator.

● Gather an external team of experts to contact in the event of any incident, such as a data breach expert, public relations manager, insurance agency, portable power organization, law enforcement, etc.


4. Consider and Prepare for Incident Detection and Analysis. This may include updating infrastructure documentation and reviewing RTO & RPO for applications and systems. Other examples may include detection via monitoring tools, incident documentation, incident declaration, communication, and status reporting.


5. Post-Incident Activities. Record your organization’s plan for a formal data breach notification within specific timelines; an after-action review session; the creation of an investigation report; reporting to board of directors, senior leadership, and staff; and facilitating further training and awareness as needed.


An effective Security Incident Response Plan needs to be effectively communicated to everyone involved in the organization and run through with a tabletop-like exercise to ensure successful implementation upon the event of an incident. With a working plan, your organization can avoid several negative repercussions that come with a security incident.