Incident Management Principles by Toni Sless

Toni Sless

September 2016

All businesses, large or small, should have a plan of action and incident management response plan in place in order that they can effectively mitigate an incident be it a cyber attack, data breach, fraud, or that of a critical threat and be able to respond in a timely manner.  With that in mind, the following is our guide on incident management principles.

  1. Get your policies and processes in order. Policies should be clear, concise, accessible and appropriate to the business. They also, very importantly and often overlooked, need to be well-communicated and enforced.  Processes should be simple but understandable by all stakeholders so that in the event of an incident (be it fraud, a critical threat or a cyber attack) everybody knows who is handling what and communicating to whom.
  2. Included in your policies and processes, should also be an incident response plan.  This should be tested on a regular basis, we recommend at bi-annually or annually.  This will ensure that those involved in an incident will know and understand their roles and responsibilities.  Equally, it provides opportunity to ensure the correct processes are in place and are robust.
  3. Roles and responsibilities of the Crisis Management Team (CMT), Incident Response Team (IRT) or Incident Management Team (IMT) should be clearly defined so that everybody involved has a clear delineation of duty and accountability.
  4. All Members of the CMT, IRT or IMT should be provided with regular training.
  5. Ensure all employees, suppliers, stakeholders and customers know to whom an incident should be reported.  Provide clear guidelines on the process for reporting which should be in place as per point 1.  The recipient of an incident notification should also know to whom the incident be reported, ensuring the salient information is captured and reported according to business policy.
  6. The CMT, IRT or IMT should have full knowledge of to whom the incident should be cascaded, internally and externally including law enforcement, Information Commissioners Office (ICO) (if relevant).  Ensure you have a dedicated Single Point of Contact (SPOC) thus avoiding several people speaking to the same organisation from different parts of your business.
  7. Ensure your PR Team are fully apprised and updated at appropriate times so that briefings can be made to media, stakeholders, customers etc.
  8. Have a clear concise response plan.
  9. Maintain an incident log (which is easily accessible and easy to use).  It should include full details of the incident, names and locations (if available/known), timings, actions, accountabilities and responsibilities.  This could become admissible evidential material therefore ensure each page of the incident log is signed and dated by the incident log manager and it is clear who is accountable and who authorised actions.
  10. Subsequent to the incident, evaluate your lessons learned – what worked and what didn’t.  Re-evaluate your policies and processes and update, if necessary, to reflect the areas that require change.  Implement the changes as soon as practicable and cascade, where relevant, any changes to policies and processes.

Bonus tip: it’s now widely accepted that, when it comes to incidents, it’s not a case of ‘if’ but ‘when’. As such, your incident response plan should be tested before an incident, so that the first time you put it into practice isn’t when you need it the most.  In the event of an incident, ensure you conduct a lessons learned exercise, implement resolves within a timely manner and ensure your stakeholders are informed.

There is no such thing as 100% security, but you can and should mitigate risk where possible – the tips above will help you do just that. If you want more assistance or information, please contact Toni Sless.