Creating an Incident Response Program

Research shows that consumers have widespread distrust of many organisations business practices, including how they collect, use and retain personal information. A security incident refers to an adverse event in an information system, and/or network, or the threat of the occurrence of such an event.

According to CERT, a security incident can have the following definitions

i)                    Violation of an explicit or implied security policy

ii)                   Attempts to gain unauthorised access

iii)                 Unwanted denial of resources

iv)                 Unauthorised use of electronic resources

v)                  Modification without the owner’s knowledge, instruction, or consent

vi)                 Theft of displaced property

An Incident Response Program (IRP) is a plan created to provide a defined, organised and coordinated approach for handling any potential threat to computers and data. One of the means of creating a good incident response plan is the establishment of a Computer Security Incident Response Team (CSIRT).

Computer Security Incident Response Team

A CSIRT is established to provide a quick and effective response to computer related incidents such as virus infections, improper disclosure of confidential information to others, service interruptions, breach of personal information, computer hacking, and other events that could compromise computer security. The CSIRT’s purpose is to prevent a serious loss of profits and retain public confidence, reputation, or information assets by providing an immediate and effective response to any unexpected events involving computer information systems, networks or databases.

CSIRT staff should be responsible for the following areas:

-          Development and preservation of the program and the document

-          Defining and classifying incidents

-          Determining the tools and technology utilised in intrusion detection

-          Determining if incident should be investigated and the scope of such an investigation (i.e. law enforcement agencies, forensic work)

-          Securing the network

-          Conducting follow-up reviews

-          Promoting awareness throughout the organisation.

Creating a Successful Information Response Program

For an IRP to be successful, the maintenance of the program be updated to reflect any organisational / infrastructure changes and newly discovered vulnerabilities.

Due to the nature and amount of business being done through the Internet, minimising security vulnerabilities and responding to security incidents in an efficient and thorough manner can become critical to business continuity.

Gartner supplies an estimate of figures for the cost of an IRP. They estimate that a large organisation and / or an organisation largely dependent on e-commerce should budget for the following:

-          Two dedicated CSIRT employees reporting to the chief information security officer

-          $251,000 per-person start-up capital expenditure

  • Hardware – $144,000
  • Software – $80,000
  • Education – $27,000 per year
  • Stand-alone CSIRT command central reporting center
  • Telecommunications – 24 telephone lines (8 each for voice, data, fax)
  • External services – investigations and forensics – $100,00 per year

Implementing an Incident Response Program


-          It is important that an organisation ensures that their information systems are kept properly updated. The Internet can provide a valuable resource that allows organisation to monitor the release of any upgrades from vendors.

-          CSIRT Members should be alerted an any high-risk security incidents automatically

-          A database should be developed to track all reported security incidents.

-          All reported incidents should be classified in a high/medium/low risk range to facilitate the appropriate actions to take.


CSIRT employees should be made responsible for performing the initial investigation to determine if an incident has occurred. Some of the solutions that can prevent intrusions include blocking the IP from which the attack is being generated, disabling the affected user ID, removing/blocking the system from the network and/or shutting the system down.


Depending on the level of intrusion, an organisation may decide to perform a forensic investigation that can allow the affected organisation to gain a better understanding of the intrusion and the attacker. By performing such an investigation, the organisation may be able to obtain information on the existing security vulnerabilities in the organisation’s systems, any changes to be made to the systems and/or applications, identification of the sources of the attack, and methods of information disclosure, including acts of espionage.


Recovery includes ensuring that the attacker’s points of penetration and any associated vulnerabilities have been eliminated and all systems have been restored.


Perhaps the most important follow-up to an incident is ensuring that the organisation has learned from the incident, in order to reduce the likelihood of such incidents re-occurring.


This article takes a look at incident response programs (IRPs), plans created to provide a defined, organised and coordinated approach for handling any potential threat to computers and data. It outlines the stages involved in creating an IRP: reporting/discovery, response, investigation, recovery and follow-up.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

  • Incident response programs (I.C.c.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>