ICT Continuity Incident Response Procedure
NIST CSF 2.0 Toolkit: Version 1 ©CertiKit
ICT Continuity Incident Response Procedure [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document The Incident Response Procedure sets out in detail how the organization will initially react to a business continuity incident and manage it going forward. It is intended to be used at the point at which an incident has occurred.
Areas of the framework addressed The following areas of the Cybersecurity Framework are addressed by this document: •
Protect (PR) o Technology Infrastructure Resilience (PR.IR) ▪ PR.IR-02
General guidance This procedure has much in common with the procedure for handling an information security incident, as the degree of high-level business involvement and support required is very similar. The key is that information security is considered as part of the planning and does not suffer when a plan is invoked. You will need to think carefully about who should be included in the incident response structure so that the right people are available in the event of a disruptive incident. The procedures contained in this document need to be clear and concise as they will possibly be used in times of great stress to the people involved. Try to always have a Plan B for each aspect of the procedure such as deputies for the people, an alternative command center and access to critical documents and resources.
Review frequency We would recommend that this document is reviewed at least annually and after every relevant exercise or test.
Version 1
Page 2 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Version 1
Page 3 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
ICT Continuity Incident Response Procedure
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
CSF-DOC-PRIR-2
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 36
DATE
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
Contents 1
Introduction ................................................................................................................ 9
2
Incident response flowchart...................................................................................... 10
3
Incident detection and notification ........................................................................... 11 3.1
Incident detection ........................................................................................................11
3.2
Incident notification .....................................................................................................11
3.3
Recording the incident details ......................................................................................11
3.4
Contacting the incident response team leader ..............................................................12
4
Activating the incident response procedure .............................................................. 13
5
Assemble incident response team............................................................................. 14 5.1
Incident response team members .................................................................................14
5.2
Roles and responsibilities .............................................................................................14
5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9
5.3 5.3.1 5.3.2 5.3.3 5.3.4
5.4
Team leader .................................................................................................................................. 15 Team facilitator ............................................................................................................................. 15 Incident liaison .............................................................................................................................. 15 ICT ................................................................................................................................................. 15 Business operations ...................................................................................................................... 15 Health and safety .......................................................................................................................... 16 Human resources .......................................................................................................................... 16 Communications ........................................................................................................................... 16 Legal and regulatory ..................................................................................................................... 16
Incident command center .............................................................................................16 Location ........................................................................................................................................ 16 Access ........................................................................................................................................... 17 Parking .......................................................................................................................................... 17 Facilities in the command center .................................................................................................. 17
Alternate command center ...........................................................................................18
6
Impact assessment.................................................................................................... 19
7
Business continuity plan activation ........................................................................... 20
8
Incident management, monitoring and communication............................................ 21 8.1 8.1.1 8.1.2 8.1.3 8.1.4 8.1.5
9
Communication procedures ..........................................................................................21 Means of communication ............................................................................................................. 21 Communication guidelines ........................................................................................................... 21 Internal communication ............................................................................................................... 22 External communication ............................................................................................................... 22 Communication with the media ................................................................................................... 23
Ceasing response activities and standing down......................................................... 25
10 Debrief and post-incident review .............................................................................. 26 11 Appendix A – Initial response contact sheet.............................................................. 27 12 Appendix B: Incident impact information log ............................................................ 28
Version 1
Page 7 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification] 13 Appendix C: Business activities affected and plans activated .................................... 29 14 Appendix D: Blank activity logging form.................................................................... 30 15 Appendix E: Blank message logging form .................................................................. 31 16 Appendix F: Internal contact telephone numbers ..................................................... 32 17 Appendix G: Useful external contacts ....................................................................... 33 18 Appendix H - Standard incident response team meeting agenda .............................. 34 19 Appendix I: Incident command center ...................................................................... 35 19.1
Location map ................................................................................................................35
19.2
Floor plan .....................................................................................................................35
20 Appendix J: The phonetic alphabet ........................................................................... 36
Figures Figure 1: Incident response procedure ..........................................................................................10
Tables Table 1: Initial responders .............................................................................................................11 Table 2: Incident response team leader contacts ...........................................................................12 Table 3: Incident response team members ....................................................................................14 Table 4: Business continuity plans .................................................................................................20 Table 5: Monitored risk advisory systems .....................................................................................23 Table 6: Organization spokespeople ..............................................................................................24 Table 7: Initial response contact sheet ..........................................................................................27
Version 1
Page 8 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
1 Introduction This document is intended to be used when an adverse situation of some kind has occurred that affects the business operations of [Organization Name]. The procedures set out in this document should be used only as guidance when responding to an incident. The exact nature of an incident and its impact cannot be predicted with any degree of certainty and so it is important that a good degree of common sense is used when deciding the actions to take. However, it is intended that the structures set out here will prove useful in allowing the correct actions to be taken more quickly and based on more accurate information. The objectives of this incident response procedure are to: • • • • • • • •
Provide a concise overview of how [Organization Name] will respond to a disruptive incident affecting its business continuity Set out who will respond to an incident and how our business continuity plans will be invoked Describe the facilities that are in place to help with the management of the incident Define how decisions will be taken regarding our response to an incident Ensure that our information always remains secure, despite the adverse situation Explain how communication within the organization and with external parties will be handled Provide contact details for key people and external agencies Define what will happen once the incident is resolved, and the responders are stood down
All members of staff named in this document will be given a copy which they must have available when required. Contact details will be checked and updated at least three times a year. Changes to contact or other relevant details that occur outside of these scheduled checks should be sent to business.continuity@organization.com as soon as possible after the change has occurred. All personal information collected as part of the business continuity process and contained in this document will be used purely for the purposes of business continuity planning and is subject to relevant data protection legislation.
Version 1
Page 9 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
2 Incident response flowchart The flow of the incident response procedure is shown in the diagram below.
Figure 1: Incident response procedure
Version 1
Page 10 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
3 Incident detection and notification 3.1 Incident detection The incident may be initially detected in a wide variety of ways and through several different sources (including emergency services), depending on the nature and location of the incident. The most important factor is that the incident response procedure must be started as quickly as possible so that an effective response can be given.
3.2 Incident notification The following contacts will act as initial responders for a disruptive incident. Any of these contacts may be notified of an incident. They all have the authority to contact the Incident Response Team Leader at any time to ask him/her to assess whether the Incident Response Procedure should be activated.
CONTACT
DEPARTMENT
PHONE NUMBER
AVAILABILITY
Team Leader
Facilities Management
xxxx xxxxxxx
9am to 5pm Mon to Fri
Duty Manager
Facilities Management
xxxx xxxxxxx
Out of hours
ICT Manager
ICT
xxxx xxxxxxx
9am to 5pm Mon to Fri
Customer Services Team Leader
Customer Services
xxxx xxxxxxx
6am to 9pm Mon to Sat
Table 1: Initial responders
3.3 Recording the incident details On receiving notification of a possible disruptive incident, the person taking the call should record the details given, including: • • • • •
The name of the caller Caller’s contact details Date and time of the call Call taker’s name Exact description of the incident, including: o Date and time of the incident o Nature of the incident, for example fire, flood, explosion o Location of the incident o Whether emergency services have been called (if appropriate) and if so, are they in attendance? o Any injuries or loss of life if known
Version 1
Page 11 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification] •
o An estimate of the scale of the impact Any other relevant information available
3.4 Contacting the incident response team leader The initial responder to the incident should then contact the Incident Response Team Leader (or nominated deputy) using the contact details below to convey the above information.
NAME
ROLE IN PLAN
OFFICE PHONE
HOME PHONE
MOBILE PHONE
Team leader Deputy 1 Deputy 2 Deputy 3 Table 2: Incident response team leader contacts
If none of the above can be contacted the initial responder has the authority to decide whether or not the Incident Response Procedure should be activated.
Version 1
Page 12 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
4 Activating the incident response procedure Once notified of an incident the Team Leader must decide whether the scale and actual or potential impact of the incident justifies the activation of the Incident Response Procedure and the convening of the Incident Response Team. Guidelines for whether a formal incident response should be initiated for any particular incident of which the Team Leader has been notified are as follows. •
There is significant actual or potential danger to life
Or… •
There is significant actual or potential disruption to business operations
Or… •
Any other situation which may cause significant impact to the organization
Guidelines for the definition of “significant” within the above criteria are as follows: • • • • • •
Loss of more than one day’s production An inability to service more than 60% of customers More than one day’s disruption to store replenishment Damage to reputation via coverage in national press More than 30 employees affected [define the level of impact that should trigger the incident response procedure]
In the event of disagreement or uncertainty about whether to activate an incident response the decision of the Team Leader will be final. If it is decided not to activate the procedure, then a plan should be created to allow for a lower-level response to the incident within normal management channels. This may involve the invocation of a business continuity procedure at a local level. If the incident warrants the activation of the IR procedure the Team Leader will start to assemble the IRT as described in the next section.
Version 1
Page 13 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
5 Assemble incident response team Once the decision has been made to activate the incident response procedure, the Team Leader (or deputy) will ensure that all role holders (or their deputies if main role holders are un-contactable) are contacted, made aware of the nature of the incident and asked to either assemble at an appropriate location (by default the command center) or attend a virtual meeting. The exception is the Incident Liaison who will be asked to attend the location of the incident (if different and appropriate) in order to start to gather information for the impact assessment that the IRT will conduct so that an appropriate response can be determined.
5.1 Incident response team members The Incident Response Team (IRT) will consist of the following people in the roles specified and with the stated deputies.
ROLE
MAIN ROLE HOLDER
DEPUTY
Team Leader Team Facilitator Incident Liaison ICT Business Operations Health and Safety Human Resources Communications Legal and Regulatory Table 3: Incident response team members
Contact details for the above are listed in Appendix A of this document.
5.2 Roles and responsibilities The responsibilities of the roles within the incident response team are as follows:
Version 1
Page 14 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
5.2.1 Team leader • • • • •
Decides whether to initiate a response Assembles the incident response team Overall management of the incident response team Acts as interface with the board and other high-level stakeholders Final decision maker in cases of disagreement
5.2.2 Team facilitator • • • • • •
Supports the incident response team Co-ordinates resources within the command center Prepares for meetings and takes record of actions and decisions Briefs team members on latest status on their return to the command center Facilitates communication via email, fax, telephone, or other methods Monitors external information feeds such as weather and news
5.2.3 Incident liaison • • • •
Attends the site of the incident as quickly as possible Assesses the extent and impact of the incident Provides first-person account of the situation to the IRT Liaises with the IRT on an on-going basis to provide updates and answer any questions required for decision-making by the IRT
5.2.4 ICT • • •
Provides an interface to detailed knowledge about ICT systems and networks held within the ICT team Liaises with external suppliers of technology, such as network and cloud providers Ensures that information security considerations are included in recovery activities
5.2.5 Business operations • • •
Contributes to decision-making based on knowledge of business operations, products and services Briefs other members of the team on operational issues Helps to assess likely impact on customers of the organization
Version 1
Page 15 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
5.2.6 Health and safety • • • •
Assesses the risk to life and limb of the incident Ensures that legal responsibilities for health and safety are always met Liaises with emergency services such as police, fire and medical Considers environmental issues with respect to the incident
5.2.7 Human resources • • •
Assesses and advises on HR policy and employment contract matters Represents the interests of organization employees Advises on capability and disciplinary issues
5.2.8 Communications • • •
Responsible for ensuring internal communications are effective Decides the level, frequency and content of communications with external parties such as the media Defines approach to keeping affected parties informed, for example customers, shareholders
5.2.9 Legal and regulatory • •
Advises on what must be done to ensure compliance with relevant laws and regulatory frameworks Assesses the actual and potential legal implications of the incident and subsequent actions
5.3 Incident command center In order to accommodate the IRT, a pre-prepared location has been selected for the Incident Command Centre.
5.3.1 Location The address of the command center is as follows: [Give the full address of the command center]
Version 1
Page 16 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification] A location map and floor plan of the command center are shown at Appendix I of this document.
5.3.2 Access During office hours (8am to 5.30pm Monday to Friday) the command center is accessible via reception at the main entrance to the building. Outside of office hours the Duty Facilities Manager must be contacted on xxx xxx xxxx to provide access within one hour of it being requested.
5.3.3 Parking Parking is available 24 hours a day, 7 days a week at the public facility directly across the street from the office building containing the command center.
5.3.4 Facilities in the command center The following facilities are available with the command center: • • • • • • • • • • • • • • • •
Main office area Separate conference room 8 x Landline telephones 8 x desktop computers Access to the corporate network Internet access 8 x workstations Washroom facilities Small kitchen with kettle and microwave Projector with screen 1 x color printer (networked) Television Radio 8 x hard hats and high visibility vests 4 x flashlights Stationery (pads, pens, pencils, hole punch, staplers)
A variety of shops are within easy walk of the command center should additional equipment be needed (shop hours only).
Version 1
Page 17 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
5.4 Alternate command center If the incident command center is not available for any reason a secondary facility exists at the following location: [Give the full address of the alternate command center. Add location map, floor plan and facility list if available]
Version 1
Page 18 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
6 Impact assessment Once the IRT has been assembled at the Command Centre, a more detailed impact assessment must be carried out in order to decide the appropriate response. The information that should have been recorded at the time of notification of the incident is as follows: • • • • • •
Date and time of the incident Nature of the incident, for example fire, flood, explosion Location of the incident Whether emergency services have been called (if appropriate) and if so, are they in attendance? Any injuries or loss of life if known An estimate of the scale of the impact
In addition to this initial indication, further information should be available from the Incident Liaison team member of the IRT who should be at the location of the incident. Useful further information could include: • • • • • • • •
Likely duration of the incident Any obvious knock-on effects The extent of impact on infrastructure including computers, networks, equipment and accommodation The business units affected and the extent of the impact to them Any known information security exposure The effect on production or service delivery A list of those people that will not be able to assist in the recovery Initial indication of the likely cause of the incident
This information should be documented so that a clear time-based understanding of the situation as it emerges is available for current use and later review. A form template is provided for this purpose at Appendix B. A list of the business activities, products, services, teams and supporting processes that have been affected by the incident should be created together with an assessment of the extent of the impact. A template form to record this information is at Appendix C of this document.
Version 1
Page 19 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
7 Business continuity plan activation Once the IRT has been assembled at the command center and as much detail as possible has been collected about the incident and its impact, a decision needs to be made about the most appropriate response. [Organization Name] has a variety of business continuity plans that provide for actions to be taken to respond to different types of incidents. These plans are as follows:
DOCUMENT REF
PLAN TITLE
PLAN DESCRIPTION
Plan001
Loss of Access to Building A
Move key business activities to alternate site
Plan002
Loss of main business critical IT servers
Restore backups to warm recovery site
Plan003
Failure of Critical Supplier
Increase supply from alternative suppliers
[List all business continuity plans] Table 4: Business continuity plans
Based on the current understanding of the business activities affected by the incident, an appropriate combination of the above business continuity plans should be activated to try to mitigate the impact. The form at Appendix C should be used to record the business continuity plans that are activated to address the specific business activities impacted by the incident. The method of activation of each plan is detailed in the individual plan document.
Version 1
Page 20 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
8 Incident management, monitoring and communication Once an appropriate response to the incident has been identified and the relevant business continuity plans activated, the IRT needs to be able to manage the overall response, monitor the status of the incident and ensure effective communication is taking place at all levels. Regular IRT meetings must be held at an appropriate frequency decided by the Team Leader. A standard agenda for these meeting is at Appendix H. The purpose of these meetings is to ensure that recovery resources are managed effectively and that key decisions are made promptly, based on adequate information. Each meeting will be minuted by the Team Facilitator. The Incident Liaison will provide updates to the IRT to a frequency decided by the Team Leader. These updates should be coordinated with the IRT meetings so that the latest information is available for each meeting.
8.1 Communication procedures It is vital that effective communications are maintained between all parties involved in the incident response.
8.1.1 Means of communication The primary means of communication during an incident will be telephone, both landline and mobile. In the event of telephone communications being unavailable provision may be made for the use of radio communications, although the usable range of such equipment should be assessed. At the Team Leader’s discretion, other electronic methods of communication such as email, SMS, messaging apps and collaboration tools may be used.
8.1.2 Communication guidelines The following guidelines should be followed in all phone communications: • • •
•
Be calm and avoid lengthy conversation Advise internal team members of the need to refer information requests to the IRT If the call is answered by someone other than the contact: o Ask if the contact is available elsewhere o If they cannot be contacted leave a message to contact, you on a given number o Do not provide details of the Incident Always document call time details, responses and actions
Version 1
Page 21 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
All communications should be clearly and accurately recorded using the form at Appendix E to this document.
8.1.3 Internal communication Phone calls incoming to the command center should use the main number which is: +xx xxx xxx xxxx Eight lines are available for incoming calls. If there is no answer a message may be left. If the call is urgent the caller should both leave a message and call back as well as trying alternative methods of communication if available. If leaving a message, ensure you leave: • • • • •
Your name Your number Your organization The name of the person the message is for The message
Details of the incident should not be given when leaving a message.
8.1.4 External communication Depending on the incident there may be a variety of external parties that will be communicated with during the response. It is important that the information released to third parties is managed so that it is timely and accurate. Calls that are not from agencies directly involved in the incident response (such as the media) should be passed to the member of the IRT responsible for communications. Emergency responders such as the police, fire and ambulance services will be well practiced in incident handling and will have their own structured methods for communication and every effort should be made to comply with these. A listing of the phonetic alphabet used by the emergency services is at Appendix J. There may be several external parties who, whilst not directly involved in the incident, may be affected by it and need to be alerted to this fact. These may include: • • •
Customers Suppliers Shareholders
Version 1
Page 22 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification] • • •
Regulatory bodies Supervisory authorities Insurers
The Communications IRT member should make a list of such interested parties and define the message that is to be given to them. A list of some external agencies is given at Appendix G. Interested parties who have not been alerted by the IRT may ask for information about the incident and its effects. These contacts should be recorded in the message log and passed to the Communications member of IRT. There are a number of national and regional risk advisory systems which may be able to provide information about the incident and likely developments. The following such systems are monitored:
AGENCY
NATIONAL/ REGIONAL
SUBJECT
METHOD OF COMMUNICATION
Homeland Security
National
Security threats
Email alerts
Environment Agency
National
Flood warnings
Website
Met Office
National
Severe weather warnings
Website/ email
Country Fire Authority
Regional
Fire risk and warnings
News channels/ website
Table 5: Monitored risk advisory systems
The frequency of monitoring these systems should be increased for those that are directly relevant to the incident in hand. All relevant warnings should be logged and communicated to the IRT Team Leader.
8.1.5 Communication with the media In general, the communication strategy with respect to the media will be to issue regular updates via top management. No members of staff should give an interview with the media unless this is pre-authorized by the IRT. The preferred interface with the media will be to issue pre-written press releases. In exceptional circumstances a press conference will be held to answer questions about the incident and its effects. It is the responsibility of the Communications IRT member to arrange the venue for these and to liaise with press that may wish to attend. In drafting a statement for the media, the following guidelines should be observed:
Version 1
Page 23 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification] • • • • •
Personal information should always be protected Stick to the facts and do not speculate about the incident or its cause Ensure legal advice is obtained prior to any statements being issued Try to pre-empt questions that may reasonably be asked Emphasize that a prepared response has been activated and that everything possible is being done
The following members of staff will be appointed spokespeople for the organization if further information is to be issued, for example at a press conference:
NAME
ROLE
INCIDENT SCALE
Person A
IRT Communications
Low
Person B
Head of Corporate Communications
Medium
Person C
Chief Executive Officer
High
Table 6: Organization spokespeople
The most appropriate spokesperson will depend upon the scale of the incident and its effect on customers, supplier, the public and other stakeholders.
Version 1
Page 24 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
9 Ceasing response activities and standing down The Team Leader will decide, based on the latest information from the Incident Liaison and other members of the team, the point at which response activities should be ceased and the IRT stood down. Note that the recovery and execution of business continuity plans may continue beyond this point but under less formal management control. This decision will be up to the Team Leader’s judgement but should be based upon the following criteria: • • • • • •
The situation has been fully resolved or is reasonably stable The pace of change of the situation has slowed to a point where few decisions are required The appropriate response is well underway and business continuity plans are progressing to schedule Affected business activities have been resumed although perhaps at a lower level than normal The degree of risk to the business has lessened to an acceptable point Immediate legal and regulatory responsibilities have been fulfilled
If recovery from the incident is on-going the Team Leader should define the next actions to be taken. These may include: • • • • •
Less frequent meetings of the IRT, for example weekly depending on the circumstances Informing all involved parties that the IRT is standing down Ensuring that all documentation of the incident is secured Requesting that all staff not involved in further work to return to normal duties Returning the command center to a state where it may be used for a future incident
All actions taken as part of standing down should be recorded.
Version 1
Page 25 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
10 Debrief and post-incident review After the IRT has been stood down the Team Leader will hold a debrief of all members ideally within 24 hours. The relevant records of the incident will be examined by the IRT to ensure that they reflect actual events and represent a complete and accurate record of the incident. Any immediate comments or feedback from the team will be recorded. A more formal post-incident review will be held at a time to be decided by top management according to the magnitude and nature of the incident. As input to this review the Team Leader will complete a post incident report.
Version 1
Page 26 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
11 Appendix A – Initial response contact sheet The following table should be used to record successful and unsuccessful initial contact with members of the IRT:
NAME
ROLE IN PLAN
OFFICE TEL
HOME TEL
MOBILE TEL
Person A
Team Leader
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person B
Team Facilitator
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person C
Incident Liaison
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person D
Business Operations
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person E
Health and Safety
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person F
Human Resources
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person G
Communications
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person H
Legal and Regulatory
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
DATE/ TIME
OUTCOME
ETA (IF CONTACTED)
Table 7: Initial response contact sheet
(For “Outcome” column, choose “Contacted”, “No Answer”, “Message Left” or “Unreachable”)
Version 1
Page 27 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
12 Appendix B: Incident impact information log MAJOR INCIDENT LOCATION INCIDENT TEAM LEADER
DATE
Version 1
TIME
IMPACT INFORMATION PROVIDED
Page 28 of 36
BY
SIGNATURE
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
13 Appendix C: Business activities affected and plans activated MAJOR INCIDENT LOCATION INCIDENT TEAM LEADER
DATE
Version 1
TIME
BUSINESS ACTIVITY AFFECTED
EXTENT OF IMPACT
Page 29 of 36
BUSINESS CONTINUITY PLAN ACTIVATED
DATE
TIME
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
14 Appendix D: Blank activity logging form MAJOR INCIDENT LOCATION INCIDENT TEAM LEADER
DATE
Version 1
TIME
ACTION
BY
Page 30 of 36
COMMENTS
SIGNATURE
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
15 Appendix E: Blank message logging form MAJOR INCIDENT LOCATION INCIDENT TEAM LEADER
DATE
Version 1
TIME
CALLER
CALLER’S NUMBER
Page 31 of 36
MESSAGE FOR
MESSAGE
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
16 Appendix F: Internal contact telephone numbers The following table shows the telephone numbers of key internal personnel:
NAME
Version 1
TITLE
DEPT
PLAN ROLE
Page 32 of 36
TEL NO
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
17 Appendix G: Useful external contacts The following table shows the contact details of agencies and people who may be useful depending on the nature of the incident:
NAME
Version 1
TITLE
ORGANIZATION
ADDRESS
Page 33 of 36
TEL NO
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
18 Appendix H - Standard incident response team meeting agenda It is recommended that the following standard agenda be used for meetings of the Incident Response Team.
AGENDA Attendees:
All members of Incident Response Team
Location:
Command Center/Online meeting
Frequency:
Every two hours, on the even hour
Chair:
Team Leader
Minutes:
Team Facilitator
1.
Actions from previous meeting
2.
Incident status update
3.
Decisions required
4.
Task allocation
5.
Internal communications
6.
External communications
7.
Standing down
8.
Any other business
Version 1
Page 34 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
19 Appendix I: Incident command center 19.1 Location map The location of the incident command center is shown below [replace with map of your command center].
19.2 Floor plan The layout of the incident command center is shown below [replace with layout of your command center].
Version 1
Page 35 of 36
[Insert date]
ICT Continuity Incident Response Procedure [Insert classification]
20 Appendix J: The phonetic alphabet In order to ensure that messages are understood correctly, the phonetic alphabet should be used when spelling out words and numbers. • • • • • • • • • • • • • • • • • • • •
A: Alpha B: Bravo C: Charlie D: Delta E: Echo F: Foxtrot G: Golf H: Hotel I: India J: Juliet K: Kilo L: Lima M: Mike N: November O: Oscar P: Papa Q: Quebec R: Romeo S: Sierra T: Tango
Version 1
Page 36 of 36
• • • • • •
U: Uniform V: Victor W: Whiskey X: X-ray Y: Yankee Z: Zulu
• • • • • • • • • •
0: Zero 1: Wun 2: Two 3: Tree 4: Fower 5: Fife 6: Six 7: Seven 8: Ait 9: Niner
[Insert date]