CSF-DOC-PRIR-2 ICT Continuity Incident Response Procedure

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

The Incident Response Procedure sets out in detail how the organization will initially react to a business continuity incident and manage it going forward. It is intended to be used at the point at which an incident has occurred.

Areas of the framework addressed

The following areas of the Cybersecurity Framework are addressed by this document:

• Protect (PR)

o Technology Infrastructure Resilience (PR.IR)

▪ PR.IR-02

General guidance

This procedure has much in common with the procedure for handling an information security incident, as the degree of high-level business involvement and support required is very similar. The key is that information security is considered as part of the planning and does not suffer when a plan is invoked.

You will need to think carefully about who should be included in the incident response structure so that the right people are available in the event of a disruptive incident. The procedures contained in this document need to be clear and concise as they will possibly be used in times of great stress to the people involved.

Try to always have a Plan B for each aspect of the procedure such as deputies for the people, an alternative command center and access to critical documents and resources.

Review frequency

We would recommend that this document is reviewed at least annually and after every relevant exercise or test.

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions

This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Disclaimer

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

ICT Continuity Incident Response Procedure

Revision history

1 Introduction

This document is intended to be used when an adverse situation of some kind has occurred that affects the business operations of [Organization Name].

The procedures set out in this document should be used only as guidance when responding to an incident. The exact nature of an incident and its impact cannot be predicted with any degree of certainty and so it is important that a good degree of common sense is used when deciding the actions to take.

However, it is intended that the structures set out here will prove useful in allowing the correct actions to be taken more quickly and based on more accurate information.

The objectives of this incident response procedure are to:

• Provide a concise overview of how [Organization Name] will respond to a disruptive incident affecting its business continuity

• Set out who will respond to an incident and how our business continuity plans will be invoked

• Describe the facilities that are in place to help with the management of the incident

• Define how decisions will be taken regarding our response to an incident

• Ensure that our information always remains secure, despite the adverse situation

• Explain how communication within the organization and with external parties will be handled

• Provide contact details for key people and external agencies

• Define what will happen once the incident is resolved, and the responders are stood down

All members of staff named in this document will be given a copy which they must have available when required.

Contact details will be checked and updated at least three times a year. Changes to contact or other relevant details that occur outside of these scheduled checks should be sent to business.continuity@organization.com as soon as possible after the change has occurred.

All personal information collected as part of the business continuity process and contained in this document will be used purely for the purposes of business continuity planning and is subject to relevant data protection legislation.

2 Incident response flowchart

The flow of the incident response procedure is shown in the diagram below.

3 Incident detection and notification

3.1 Incident detection

The incident may be initially detected in a wide variety of ways and through several different sources (including emergency services), depending on the nature and location of the incident. The most important factor is that the incident response procedure must be started as quickly as possible so that an effective response can be given.

3.2 Incident notification

The following contacts will act as initial responders for a disruptive incident. Any of these contacts may be notified of an incident. They all have the authority to contact the Incident Response Team Leader at any time to ask him/her to assess whether the Incident Response Procedure should be activated.

3.3 Recording the incident details

On receiving notification of a possible disruptive incident, the person taking the call should record the details given, including:

• The name of the caller

• Caller’s contact details

• Date and time of the call

• Call taker’s name

• Exact description of the incident, including:

o Date and time of the incident

o Nature of the incident, for example fire, flood, explosion

o Location of the incident

o Whether emergency services have been called (if appropriate) and if so, are they in attendance?

o Any injuries or loss of life if known

ICT Continuity Incident Response Procedure [Insert classification]

o An estimate of the scale of the impact

• Any other relevant information available

3.4 Contacting the incident response team leader

The initial responder to the incident should then contact the Incident Response Team Leader (or nominated deputy) using the contact details below to convey the above information.

If none of the above can be contacted the initial responder has the authority to decide whether or not the Incident Response Procedure should be activated.

4 Activating the incident response procedure

Once notified of an incident the Team Leader must decide whether the scale and actual or potential impact of the incident justifies the activation of the Incident Response Procedure and the convening of the Incident Response Team.

Guidelines for whether a formal incident response should be initiated for any particular incident of which the Team Leader has been notified are as follows.

• There is significant actual or potential danger to life

Or…

• There is significant actual or potential disruption to business operations

Or…

• Any other situation which may cause significant impact to the organization

Guidelines for the definition of “significant” within the above criteria are as follows:

• Loss of more than one day’s production

• An inability to service more than 60% of customers

• More than one day’s disruption to store replenishment

• Damage to reputation via coverage in national press

• More than 30 employees affected

• [define the level of impact that should trigger the incident response procedure]

In the event of disagreement or uncertainty about whether to activate an incident response the decision of the Team Leader will be final.

If it is decided not to activate the procedure, then a plan should be created to allow for a lower-level response to the incident within normal management channels. This may involve the invocation of a business continuity procedure at a local level.

If the incident warrants the activation of the IR procedure the Team Leader will start to assemble the IRT as described in the next section.

5 Assemble incident response team

Once the decision has been made to activate the incident response procedure, the Team Leader (or deputy) will ensure that all role holders (or their deputies if main role holders are un-contactable) are contacted, made aware of the nature of the incident and asked to either assemble at an appropriate location (by default the command center) or attend a virtual meeting

The exception is the Incident Liaison who will be asked to attend the location of the incident (if different and appropriate) in order to start to gather information for the impact assessment that the IRT will conduct so that an appropriate response can be determined.

5.1 Incident response team members

The Incident Response Team (IRT) will consist of the following people in the roles specified and with the stated deputies.

Team Leader

Team Facilitator

Incident Liaison

ICT

Business Operations

Health and Safety

Human Resources

Communications

Legal and Regulatory

Contact details for the above are listed in Appendix A of this document.

5.2 Roles and responsibilities

The responsibilities of the roles within the incident response team are as follows:

5.2.1 Team leader

• Decides whether to initiate a response

• Assembles the incident response team

• Overall management of the incident response team

• Acts as interface with the board and other high-level stakeholders

• Final decision maker in cases of disagreement

5.2.2 Team facilitator

• Supports the incident response team

• Co-ordinates resources within the command center

• Prepares for meetings and takes record of actions and decisions

• Briefs team members on latest status on their return to the command center

• Facilitates communication via email, fax, telephone, or other methods

• Monitors external information feeds such as weather and news

5.2.3 Incident liaison

• Attends the site of the incident as quickly as possible

• Assesses the extent and impact of the incident

• Provides first-person account of the situation to the IRT

• Liaises with the IRT on an on-going basis to provide updates and answer any questions required for decision-making by the IRT

5.2.4 ICT

• Provides an interface to detailed knowledge about ICT systems and networks held within the ICT team

• Liaises with external suppliers of technology, such as network and cloud providers

• Ensures that information security considerations are included in recovery activities

5.2.5 Business operations

• Contributes to decision-making based on knowledge of business operations, products and services

• Briefs other members of the team on operational issues

• Helps to assess likely impact on customers of the organization

5.2.6 Health and safety

• Assesses the risk to life and limb of the incident

• Ensures that legal responsibilities for health and safety are always met

• Liaises with emergency services such as police, fire and medical

• Considers environmental issues with respect to the incident

5.2.7 Human resources

• Assesses and advises on HR policy and employment contract matters

• Represents the interests of organization employees

• Advises on capability and disciplinary issues

5.2.8 Communications

• Responsible for ensuring internal communications are effective

• Decides the level, frequency and content of communications with external parties such as the media

• Defines approach to keeping affected parties informed, for example customers, shareholders

5.2.9 Legal and regulatory

• Advises on what must be done to ensure compliance with relevant laws and regulatory frameworks

• Assesses the actual and potential legal implications of the incident and subsequent actions

5.3 Incident command center

In order to accommodate the IRT, a pre-prepared location has been selected for the Incident Command Centre.

5.3.1 Location

The address of the command center is as follows:

[Give the full address of the command center]

A location map and floor plan of the command center are shown at Appendix I of this document.

5.3.2 Access

During office hours (8am to 5.30pm Monday to Friday) the command center is accessible via reception at the main entrance to the building. Outside of office hours the Duty Facilities Manager must be contacted on xxx xxx xxxx to provide access within one hour of it being requested.

5.3.3 Parking

Parking is available 24 hours a day, 7 days a week at the public facility directly across the street from the office building containing the command center.

5.3.4 Facilities in the command center

The following facilities are available with the command center:

• Main office area

• Separate conference room

• 8 x Landline telephones

• 8 x desktop computers

• Access to the corporate network

• Internet access

• 8 x workstations

• Washroom facilities

• Small kitchen with kettle and microwave

• Projector with screen

• 1 x color printer (networked)

• Television

• Radio

• 8 x hard hats and high visibility vests

• 4 x flashlights

• Stationery (pads, pens, pencils, hole punch, staplers)

A variety of shops are within easy walk of the command center should additional equipment be needed (shop hours only).

ICT Continuity Incident Response Procedure [Insert classification]

5.4 Alternate command center

If the incident command center is not available for any reason a secondary facility exists at the following location:

[Give the full address of the alternate command center. Add location map, floor plan and facility list if available]

6 Impact assessment

Once the IRT has been assembled at the Command Centre, a more detailed impact assessment must be carried out in order to decide the appropriate response.

The information that should have been recorded at the time of notification of the incident is as follows:

• Date and time of the incident

• Nature of the incident, for example fire, flood, explosion

• Location of the incident

• Whether emergency services have been called (if appropriate) and if so, are they in attendance?

• Any injuries or loss of life if known

• An estimate of the scale of the impact

In addition to this initial indication, further information should be available from the Incident Liaison team member of the IRT who should be at the location of the incident.

Useful further information could include:

• Likely duration of the incident

• Any obvious knock-on effects

• The extent of impact on infrastructure including computers, networks, equipment and accommodation

• The business units affected and the extent of the impact to them

• Any known information security exposure

• The effect on production or service delivery

• A list of those people that will not be able to assist in the recovery

• Initial indication of the likely cause of the incident

This information should be documented so that a clear time-based understanding of the situation as it emerges is available for current use and later review. A form template is provided for this purpose at Appendix B.

A list of the business activities, products, services, teams and supporting processes that have been affected by the incident should be created together with an assessment of the extent of the impact. A template form to record this information is at Appendix C of this document.

7 Business continuity plan activation

Once the IRT has been assembled at the command center and as much detail as possible has been collected about the incident and its impact, a decision needs to be made about the most appropriate response.

[Organization Name] has a variety of business continuity plans that provide for actions to be taken to respond to different types of incidents.

These plans are as follows:

Based on the current understanding of the business activities affected by the incident, an appropriate combination of the above business continuity plans should be activated to try to mitigate the impact.

The form at Appendix C should be used to record the business continuity plans that are activated to address the specific business activities impacted by the incident.

The method of activation of each plan is detailed in the individual plan document.

8 Incident management, monitoring and communication

Once an appropriate response to the incident has been identified and the relevant business continuity plans activated, the IRT needs to be able to manage the overall response, monitor the status of the incident and ensure effective communication is taking place at all levels.

Regular IRT meetings must be held at an appropriate frequency decided by the Team Leader. A standard agenda for these meeting is at Appendix H. The purpose of these meetings is to ensure that recovery resources are managed effectively and that key decisions are made promptly, based on adequate information. Each meeting will be minuted by the Team Facilitator.

The Incident Liaison will provide updates to the IRT to a frequency decided by the Team Leader. These updates should be coordinated with the IRT meetings so that the latest information is available for each meeting.

8.1 Communication procedures

It is vital that effective communications are maintained between all parties involved in the incident response.

8.1.1 Means of communication

The primary means of communication during an incident will be telephone, both landline and mobile. In the event of telephone communications being unavailable provision may be made for the use of radio communications, although the usable range of such equipment should be assessed. At the Team Leader’s discretion, other electronic methods of communication such as email, SMS, messaging apps and collaboration tools may be used.

8.1.2 Communication guidelines

The following guidelines should be followed in all phone communications:

• Be calm and avoid lengthy conversation

• Advise internal team members of the need to refer information requests to the IRT

• If the call is answered by someone other than the contact:

o Ask if the contact is available elsewhere

o If they cannot be contacted leave a message to contact, you on a given number

o Do not provide details of the Incident

• Always document call time details, responses and actions

All communications should be clearly and accurately recorded using the form at Appendix E to this document.

8.1.3 Internal communication

Phone calls incoming to the command center should use the main number which is:

+xx xxx xxx xxxx

Eight lines are available for incoming calls. If there is no answer a message may be left. If the call is urgent the caller should both leave a message and call back as well as trying alternative methods of communication if available.

If leaving a message, ensure you leave:

• Your name

• Your number

• Your organization

• The name of the person the message is for

• The message

Details of the incident should not be given when leaving a message.

8.1.4 External communication

Depending on the incident there may be a variety of external parties that will be communicated with during the response. It is important that the information released to third parties is managed so that it is timely and accurate.

Calls that are not from agencies directly involved in the incident response (such as the media) should be passed to the member of the IRT responsible for communications.

Emergency responders such as the police, fire and ambulance services will be well practiced in incident handling and will have their own structured methods for communication and every effort should be made to comply with these. A listing of the phonetic alphabet used by the emergency services is at Appendix J

There may be several external parties who, whilst not directly involved in the incident, may be affected by it and need to be alerted to this fact. These may include:

• Customers

• Suppliers

• Shareholders

• Regulatory bodies

• Supervisory authorities

• Insurers

The Communications IRT member should make a list of such interested parties and define the message that is to be given to them. A list of some external agencies is given at Appendix G.

Interested parties who have not been alerted by the IRT may ask for information about the incident and its effects. These contacts should be recorded in the message log and passed to the Communications member of IRT.

There are a number of national and regional risk advisory systems which may be able to provide information about the incident and likely developments.

The following such systems are monitored:

The frequency of monitoring these systems should be increased for those that are directly relevant to the incident in hand. All relevant warnings should be logged and communicated to the IRT Team Leader.

8.1.5 Communication with the media

In general, the communication strategy with respect to the media will be to issue regular updates via top management. No members of staff should give an interview with the media unless this is pre-authorized by the IRT.

The preferred interface with the media will be to issue pre-written press releases. In exceptional circumstances a press conference will be held to answer questions about the incident and its effects. It is the responsibility of the Communications IRT member to arrange the venue for these and to liaise with press that may wish to attend.

In drafting a statement for the media, the following guidelines should be observed:

• Personal information should always be protected

• Stick to the facts and do not speculate about the incident or its cause

• Ensure legal advice is obtained prior to any statements being issued

• Try to pre-empt questions that may reasonably be asked

• Emphasize that a prepared response has been activated and that everything possible is being done

The following members of staff will be appointed spokespeople for the organization if further information is to be issued, for example at a press conference:

The most appropriate spokesperson will depend upon the scale of the incident and its effect on customers, supplier, the public and other stakeholders.

9 Ceasing response activities and standing down

The Team Leader will decide, based on the latest information from the Incident Liaison and other members of the team, the point at which response activities should be ceased and the IRT stood down. Note that the recovery and execution of business continuity plans may continue beyond this point but under less formal management control.

This decision will be up to the Team Leader’s judgement but should be based upon the following criteria:

• The situation has been fully resolved or is reasonably stable

• The pace of change of the situation has slowed to a point where few decisions are required

• The appropriate response is well underway and business continuity plans are progressing to schedule

• Affected business activities have been resumed although perhaps at a lower level than normal

• The degree of risk to the business has lessened to an acceptable point

• Immediate legal and regulatory responsibilities have been fulfilled

If recovery from the incident is on-going the Team Leader should define the next actions to be taken. These may include:

• Less frequent meetings of the IRT, for example weekly depending on the circumstances

• Informing all involved parties that the IRT is standing down

• Ensuring that all documentation of the incident is secured

• Requesting that all staff not involved in further work to return to normal duties

• Returning the command center to a state where it may be used for a future incident

All actions taken as part of standing down should be recorded.

10 Debrief and post-incident review

After the IRT has been stood down the Team Leader will hold a debrief of all members ideally within 24 hours. The relevant records of the incident will be examined by the IRT to ensure that they reflect actual events and represent a complete and accurate record of the incident.

Any immediate comments or feedback from the team will be recorded.

A more formal post-incident review will be held at a time to be decided by top management according to the magnitude and nature of the incident. As input to this review the Team Leader will complete a post incident report.

11 Appendix A – Initial response contact sheet

The following table should be used to record successful and unsuccessful initial contact with members of the IRT:

(For “Outcome” column, choose “Contacted”, “No Answer”, “Message Left” or “Unreachable”)

12 Appendix B: Incident impact information log

MAJOR INCIDENT

INCIDENT TEAM LEADER

13 Appendix C: Business activities affected and plans activated

MAJOR INCIDENT

LOCATION

INCIDENT TEAM LEADER

14 Appendix D: Blank activity logging form

MAJOR INCIDENT

15 Appendix E: Blank message logging form

MAJOR INCIDENT

16 Appendix F: Internal contact telephone numbers

The following table shows the telephone numbers of key internal personnel:

17 Appendix G: Useful external contacts

The following table shows the contact details of agencies and people who may be useful depending on the nature of the incident:

18 Appendix H - Standard incident response team meeting agenda

It is recommended that the following standard agenda be used for meetings of the Incident Response Team.

AGENDA

Attendees: All members of Incident Response Team

Location: Command Center/Online meeting

Frequency: Every two hours, on the even hour

Chair: Team Leader

Minutes: Team Facilitator

1. Actions from previous meeting

2. Incident status update

3. Decisions required

4. Task allocation

5. Internal communications

6. External communications

7. Standing down

8. Any other business

ICT Continuity Incident Response Procedure [Insert classification]

19 Appendix I: Incident command center

19.1 Location map

The location of the incident command center is shown below [replace with map of your command center]

19.2 Floor plan

The layout of the incident command center is shown below [replace with layout of your command center].

20 Appendix J: The phonetic alphabet

In order to ensure that messages are understood correctly, the phonetic alphabet should be used when spelling out words and numbers.

• A: Alpha

• B: Bravo

• C: Charlie

• D: Delta

• E: Echo

• F: Foxtrot

• G: Golf

• H: Hotel

• I: India

• J: Juliet

• K: Kilo

• L: Lima

• M: Mike

• N: November

• O: Oscar

• P: Papa

• Q: Quebec

• R: Romeo

• S: Sierra

• T: Tango

• U: Uniform

• V: Victor

• W: Whiskey

• X: X-ray

• Y: Yankee

• Z: Zulu

• 0: Zero

• 1: Wun

• 2: Two

• 3: Tree

• 4: Fower

• 5: Fife

• 6: Six

• 7: Seven

• 8: Ait

• 9: Niner