top of page

Cyber Incident Response - Incident Communications Plan

brencronin

Updated: Nov 10, 2024

Cyber Incident Response Communications Plan Purpose


The purpose of this communications plan is to ensure secure, efficient, and coordinated communication among the Cyber Incident Response Team (CIRT) during the investigation, containment, and resolution of a cyber incident. This plan outlines the methods of communication, verification of team authenticity, communication intervals, documentation procedures, and the chain of command and decision-making process.


Scope


This plan applies to all members of the CIRT, including internal employees, contractors, and third-party service providers involved in the response to a cyber incident.


Communications Methods


Secure Communication Channels


  1. Encrypted Messaging Applications: Use end-to-end encrypted messaging applications (e.g., Signal, WhatsApp, or a secure organizational messaging platform) for real-time communication.

  2. Secure Email: Use encrypted email services for detailed communication and documentation exchange.

  3. Virtual Meeting Tools: Use secure virtual meeting tools (e.g., Zoom with encryption, Microsoft Teams, WebEx) for virtual meetings and briefings.

  4. Incident Response Platform: Utilize the organization's incident response management platform, which includes secure communication capabilities and incident tracking.


Verifying Team Authenticity


  1. Two-Factor Authentication (2FA): All communication platforms used by the CIRT must require 2FA for access.

  2. Code Words/Phrases: Establish pre-agreed code words or phrases that team members can use to verify their identity during critical communications.

  3. Digital Certificates: Use digital certificates to verify the authenticity of emails and other digital communications.


Communication Intervals


  1. Initial Notification: Immediately upon detection of a true incident, the Incident Commander (IC) will notify all CIRT members via the secure messaging application.

  2. Regular Updates: The IC will schedule regular update intervals (e.g., every 30 minutes to 1 hour) to provide status updates, share findings, and adjust response strategies.

  3. Ad-Hoc Meetings: The IC may call for ad-hoc meetings as necessary based on the evolving nature of the incident.


Documentation Procedures


  1. Incident Response Ticket:

  • An incident response ticket will be created in the incident response management platform for each incident.

  • All communications, decisions, actions taken, and findings must be documented in the incident response ticket.

  1. Communication Logs:

  • Detailed logs of all communications (e.g., messages, emails, meeting notes) will be maintained and attached to the incident response ticket.

  • The IC will ensure that logs are updated in real-time or as soon as practical.


Chain of Command and Decision Making


  1. Incident Commander (IC):

  • The IC has overall responsibility for managing the incident response, making key decisions, and ensuring effective communication among team members.

  • The IC will assign specific roles and tasks to CIRT members based on the nature of the incident.

  1. CIRT Members:

  • Each CIRT member will have clearly defined roles and responsibilities, contributing their expertise to the incident response.

  • Team members will report their findings and actions to the IC at regular intervals and upon request.

  1. Decision-Making Process:

  • The IC will consult with relevant experts within the CIRT to make informed decisions.

  • Major decisions (e.g., containment strategies, public disclosures) will be made collaboratively, with input from senior management and other key stakeholders as needed.

  1. Escalation:

  • If the incident escalates or requires additional resources, the IC will escalate the issue to senior management and other relevant authorities.

  • The escalation process will be documented, and additional roles or external experts may be incorporated into the response as necessary.


Secure Storage of Communications


  1. Encrypted Storage: All communication records, logs, and incident response tickets will be stored in an encrypted format.

  2. Access Control: Access to communication records will be restricted to authorized CIRT members and relevant stakeholders.

  3. Audit Trails: Maintain audit trails of all access to communication records to ensure accountability and traceability.


Review and Revision


This communications plan will be reviewed annually and revised as necessary to reflect changes in technology, organizational structure, or best practices in incident response.


Approval


This communications plan has been approved by [Approving Authority] on [Date].


[Organization Name] Cybersecurity Department

 

12 views0 comments

Recent Posts

See All

Commenti


Post: Blog2_Post
  • Facebook
  • Twitter
  • LinkedIn

©2021 by croninity. Proudly created with Wix.com

bottom of page