Incidence Response Plan (IRP) for Business Downtime

Incidence Response Plan


This document contains information, actions, and procedures that should be followed when events that disrupt the normal operations of a business occur. The primary importance of creating the document is to mitigate financial and other losses that a firm may incur. The information contained in the documents relates to information security measures. The Incident Response Plan is designed to provide for response to possible business interruptions dues to intrusion or system downtown.  It is imperative to note that although the document may be applied to other emergencies like fire or natural disasters, it is not customized for such situations. The document thus details information on how an organization should respond to a security issue. IRP is significant to an organization because it provides guidelines on managing security incidents from detection to evaluating the strength of the measures an organization adopts. The design of an IRP is likely to differ from one organization to another (Kirvan, Peterson, & Daniel, 2019). Components detailed in this IRP are; preparation, identification, containment, eradication, recovery, and lessons learned.


  • The Preparation Stage

Preparation is the first stage. At this phase of the IRP, the organization conducts reviews of its systems to capture details that need archiving. The information security department should conduct a risk assessment and create a list of security issues that are likely to affect the firm. The team should be required to report if;

  • They are unable to detect WAN
  • Unable to access the internet and intranet
  • Denial of service
  • Loss of computer from the facility
  • Downtown in data/voice communication services
  • Intrusions

Once the above has been reported, the organization create an incidence response team. These people are critical to the handling of an incident because they have the required training and experience in analyzing analyze and acting up information disruption (Hayward & Quinn, 2016). The incidence response team is composed of a personnel capable of providing quick responses to incidences. Incidence Response Team entail the following specialist;

  • Incident Manager
  • Lead investigator
  • Communications and Public relations Officer
  • Legal Officer
  • Human Resource Representative

The preparation stage provides details of the persons to be contacted in case the person who is reporting the incidence does not come from the information security departments. Some of the people who should be included in the preparation stage include the following;

  • The CEO
  • The head of the information technology department
  • The firm’s customer service executive
  • The organization’s IT service desk
  • The security office service desk

Contacts provided should be reached on a 24/7 basis because an incidence can happen at any time, and faster response helps in quick mitigation from making losses. The possible contact that can be available on a 24/7 basis is the security service desk. It is also imperative to note that contacting the CEO should be limited to the case where none of the given contacts are unreachable. The preparation stage also involves educating the employees about possible security threats. An organization needs to conduct weekly training where the staff is informed about detecting information security incidences. Regular training is needed because endless innovations in information technology enable hackers to employ new methods to achieve their goals.


  • Identification

Identification is the second stage. The identification of a security breach incidence can be through the given channel of communication. The IT department in their regular business should keep checking the system to discover abnormal operations. Some of the potential sources for the identification of an incident include;

  • Activity tracking that detects privileged access that does not match the one given to the management.
  • Customer reporting a suspected an abnormal activity which has happened to their accounts.
  • Report on computer theft from the firm.
  • Advance persistent attacks.
  • A worker reporting the inability to assess the system.
  • Alerts of an intrusion or monitoring tools.
  • Alert of virus or malware attacks.

Upon the discovery of an incidence, the incidence response team coordinator should liaise with other team members to gather more information about the act. This collaboration enables them to determine the severity of the incidence and the legal implication. For instance, if the security breach leads to the exposure of customer contacts, the department is likely to be held responsible. In the case of such incidences, the IRPT must put urgent measures to limit the exposure. During the identification process, the IRPT answer questions such as; ‘Who, Where, How, Why, and what?’ By answering these questions, the organization will act as a basis for prosecuting the perpetrators.


  • Containment

Containment is the third stage. Containment is the priority of the incidence response team once they have identified an incidence.  The act is aimed at preventing further damage. Containment is in the form of preventing the intruders from assessing more data (Patel, 2017).  The containment process can be short term or long-term plan. Short term measures are deployed when it is impossible for the IRPT to prevent an intrusion immediately but need to adopt alternatives to enable the organization processes to continue while team is looking for a long term solution. An excellent example of short term measures is where the firm decides to redirect traffic to backup servers because the central server has been compromised. Long term containment involves the immediate application of long lasting solutions. This is applicable where the incidences are not of a large magnitude. A good example is an incidence of a virus or malware attack where the IRPT resorts to fixing the situation by using a firewall and installing antiviruses. Containment may also involve isolating the part of the system that has been affected to prevent the corruption of the entire system. Isolating the part is applicable where malware attack affects only a portion of the data. Other incidences of containment involve shutting the whole system to prevent further damage.


  • Eradication

The forth stage is eradication. The process entails putting in place measures to prevent a similar or related incidence from affecting the system. Elimination is based on the understanding of what happened and employing measures to minimize the risk (Patel, 2017).  For instance, a firm may have faced a system downtown due hacking and during the identification stage reporting was done by a user and not by the IT department. Such an act will be a wakeup call for the information security department that they should consider using an advanced tracking and monitoring tool capable of identifying unusual activities and take immediate steps. Eradication also entails collecting necessary data from the old systems, and putting it into a new system only when ideal security measures in place. If the root cause of the attack was through poor authentications like week passwords, the occurrence could be eradicated by advocating for the use of strong new passwords.


  • Recovery

The fifth stage is recovery. Recovery is the process of restoring the systems. The process should be done in such a way that an incident of that kind will not take place in the future. For attacks that involved the bringing down of the entire system, tests should be carried out to verify that the new systems can execute commands and allow time for monitoring before granting access to other users within the organization. Although it is the wish of an organization to restores its systems quickly, exercising caution before an organization resumes its normal operations is advised. The danger of a quick restoration process may be a severe repeated attack. The implication of a second attack may be increased costs associated with regulatory fines and customer compensation. Repeated attacks negatively affect the organization’s reputation because such attacks cause customers to suspect the firm’s inability to protect their details. Customers may then opt to move to the firm’s competitors. During the recovery process, a firm should use their backup systems to serve their customers while working on the proper solutions.


  • Lessons Learned

Lessons learned is the sixth stage. The phase provides an opportunity for the organization to carry out a postmortem to update procedures and guidelines of the IRP. The process involves an in-depth analysis of the incidence for future reference. The firms can learn from information captured from:

  • Meetings with the IRPT.
  • Examining forensic analysis reports.
  • Reviewing the input from different stakeholders, opinions and comments.
  • Making recommendations where necessary.

The analysis of an incidence for possible lessons may entail examining facts such as name of the caller, the time of the call, the nature of the incidence, and the time it took for the incidence to be solved. The facts. These pieces of information are essential because they can be compared to what the solution will offer. If the variations are adverse, then the investigation should be carried out to determine the cause. For instance, if there was a time lag when the call was made and the time an IT officer acted on the incident, then concrete explanation would be needed for future planning and reference. Incase the officer was located in a remote place and did not have the means to reach the workplace, then a temporary security officer respond to incidences is advised. Thorough examination of incidence nature provides vital lessons for the organization. For instance, if the incidence was an intrusion to the systems due to weak authentication information technology department can enhance the password confirmation process where it auto-fills strong passwords for users. The system can also have self-check safety measures for allowing users to to only create passwords that are strong. An excellent example of a strong password is mixing numbers, symbols and letter, are included, a factor that will make it hard for hackers to guess.

Also look at some of our business services
Business Essay Writing Service
Business Dissertation Writing Services
Business Report Writing
Business Assignment Help
Business Planning Writing Service
Business Assignment Writing Service