5 Steps to Create an Effective Incident Response Program

June 9th, 2016 Posted by Kevin Gillingham

Organizations rely on their data to carry out daily operations. Unfortunately, high-profile breaches are becoming more common and costly. In 2015 alone, cyber-attacks saw almost 300 million records leaked and $1 billion stolen. Moving into 2016, it’s important to make sure your online operations and electronic data are secure and protected.Cisco Incident Response

But where should you start? In a recent blog, Cisco laid out five steps for an effective response program. We’ve summarised them here for you:

1.     Set Up an Incident Response Program

You can establish an incident response program for your organization by:

1. Identifying a response leader. This person should have a good understanding of the business and be an effective problem solver.

2. Assemble a team of stakeholders. Each should have clearly outlined responsibilities and roles.

3. Draft your response process, establishing documentation standards. Remember, you don’t need to make the plan complicated. It just needs to work for your business and be consistent.

4. Connect people with the tools they need. The good thing is that much of what you need is already likely in place.

5. Understand capability gaps and craft a plan to address them. You can start with a minimum viable process and enhance it over time.

2.     Detect Events

To discover incidents quickly, rely on sources like:

  • Internal Users, Monitoring Protocols, and Risk-Assessment Tools: Ultimately, the best way to start is to make your employees aware. They should understand the security risks relevant to your business and know how to identify them. If they believe everything is safe, dangerous anomalies will be easier to overlook.
  • External Customers and Entities: Take advantage of automated monitoring tools – including analytics of questionable user behaviour or traffic – as your second line of defence.
  • Social Media: Bad news travels fast. Monitor social media to make sure you’re not the last one to know.

3.     Begin Triage and Containment

Triage starts as soon as you detect a problem. You need to research the situation to understand it, which will help you determine how you should respond to it.

Ask yourself these questions:

  • What’s the nature of the problem?
  • Is it an ongoing event?
  • Will people outside of your organization hear about the event?
  • Which services, systems, applications, or products are affected?
  • Could sensitive data – including customer or personal information – be compromised or exposed?

After you’ve gained control, you need to contain the event by taking all necessary actions as soon as possible to stop and control the incident and/or data loss.

4.     Execute Your Response Plan

After containing the incident, develop a response plan including things like:

  • Actions necessary to remediate damage.
  • Notifications and communications you need to issue, both internal and external.

Before you can develop a response plan, make sure you fully understand the scope, nature, and cause of the problem.

5.     Undertake Remediation

After completing all the activities outlined in your response plan, you need to review the incident’s status and any lessons you learned from it. Taking effective actions afterwards can help you improve data security practices in the future.


Activo is proud to be partnered with Cisco, providing advanced, leading-edge network solutions. Contact us today to discuss the networking technologies that will be right for your business.  

More from Activo:

Written by Kevin Gillingham

Kevin Gillingham

Kevin Gillingham is the Vice President of Sales and Marketing at Activo. Through his expertise in technology, cabling, and communication solutions, he provides leadership and guidance to Activo’s team across Canada.

Sign-Up for OurMonthly NewsLetter