Building an incident response team (IRT) is a good first step along the path toward effective business continuity event (BCE) management. But the team needs a plan to follow when an event occurs. A documented plan, institutionalized through regular IRT training, enables quick response to service or product delivery failures, mitigating business impact to levels acceptable to management and customers.In this post, we look at the fundamental characteristics of an incident management plan (IMP). We also examine the first of the two cornerstones of effective BCE response: detection.IMP OverviewAccording to BS 25999-1:2006 (Business Continuity Management, Part 1: Code of Practice), the purpose of an IMP is management of the initial phase of an event. The plan should be: Flexible, feasible and relevant Easy to read and understand The basis for managing all possible issues, including stakeholder and external challenges, facing the organization during a BCE Minimally, the IMP should contain first-responder guidelines, including: Task and action lists. These lists are developed during scenario planning sessions and provide checklists for quickly implementing containment and mitigation controls. Emergency contacts. A complete list of internal and external contacts enables quick notification of key management and support personnel. Notification should automatically initiate appropriate elements of the business continuity plan, which is the topic of a future article. Lack of effective communication is one of the best ways to fall short of BCE management objectives. Media response. Small events are easily contained within the walls of the organization. News of large events, however, often finds its way to the public. How your organization deals with public perception affects the extent of damage to the business. Dealing with the media during a crisis should be controlled by the public relations representative on the IRT and produce specific public perception outcomes, as defined by executive management. Business continuity event management consists of five phases: prepare, detect, contain-mitigate, analyze, and remediate-measure. The IMP focuses on detection, containment, and initial efforts to mitigate adverse business effects.DetectionDuring business impact analysis in the preparation phase, various controls are identified to improve the organization’s ability to detect impending events or those already occurring. Early detection is an important part of effective mitigation. However, detection without appropriate response provides little value. Monitoring systems or personnel should initiate an appropriate Task/Action List when an event is detected. Events which potentially disrupt service or product delivery range from malware spreading across the network, to a failed server, to a natural or political catastrophe. Detection controls—administrative, physical, and technical—help predict failures or identify them early enough to prevent grave consequences to the business or personnel.Detection controls fall into four categories: intrusion detection/prevention, network infrastructure availability, facility availability, and asset availability (financial, physical, or human).Intrusion detection/preventionThere are two types of intrusions: physical and technical. A physical intrusion consists of a human or human controlled intruder gaining physical access to restricted facilities or network infrastructure. Detection controls include motion detectors, security cameras, etc.Technical intrusions are usually characterized in one of two ways. In the first, a human gains remote access to network resources. In the second, malware finds its way onto one or more critical or sensitive systems. In either case, sensitive data might leak or critical systems fail. Technical detection controls include intrusion detection/prevention devices and log management. Effective log management usually consists of aggregation of logs from various network devices. The result is processed by a correlation engine which can use bits and pieces of information collected from disparate systems to create a picture of network activity. Network infrastructure availabilityHard drives, drive arrays, switches, servers, and any other technical device you can imagine will eventually fail if used long enough. The best response results are reached when you can detect potential or existing failures, and prevent unscheduled downtime or quickly restore functionality.Network or system anomaly detection begins with baselining normal operation. This is followed by monitoring network and system behavior, sending alerts when significant deviations from one or more baselines occur. In addition, log management efforts, as described above, can supplement monitoring solutions.Facility availabilityDetection controls for facility availability help prevent serious damage to portions of structures or entire buildings. Some events, such as hurricanes or tornados, cannot be prevented. However, knowing they’re coming and initiating existing, tested response plans can reduce their effects on the business.In addition to the nightly weather report, facility detection controls include: Fire detection systems Water detection systems Sensors and alarms Political analysis (just as important as a good weather report when operating in politically unstable areas) Asset availabilityBusiness assets include physical, financial, and human components. In this post, we focus on physical and financial event detection. Human resource issues are included in a future business continuity plan article.Physical assets are susceptible to damage, theft, or unauthorized access to information they contain. Controls which help detect these activities include security guards, security cameras, and inventory and asset tracking systems.Theft of financial assets, including intellectual property, is a real problem for many organizations. Their loss or compromise can have serious consequences for continued business operation. In addition to technical monitoring controls, the following are helpful ways to detect questionable activity: Rotation of duties and mandatory vacations. Getting another set of eyes on daily business processes and outcomes can often reveal anomalous employee behavior. Employee knowledge that others will eventually see their work also helps prevent bad behavior. Security reviews and audits. Background investigations. Financial audits. Management oversight reports. The controls used depend on the results of the business impact analysis, budget, management’s threshold for risk, etc. However, once detection controls are in place, response processes must support them. Building containment and mitigation processes is the topic of next week’s post. Related content opinion MQTT is not evil, just not always secure The MQTT messaging protocol standard used by IoT vendors is not inherenly secure enough. Solutions exist to secure it, but organizations and vendors must assess risk and properly configure IoT and network security. By Tom Olzak Jul 17, 2017 3 mins Internet of Things opinion IoT messaging protocol is big security risk Popular IoT messaging protocol lacks encryption and sufficient device authentication security. By Tom Olzak Jul 14, 2017 3 mins Cloud Security Data and Information Security Internet of Things opinion Anatomy of an insider attack Manage insider attack risks with scenarios and application of common sense. By Tom Olzak Sep 30, 2016 4 mins Business Continuity Security opinion Identity governance and admin: beyond basic access management User behavior analytics give additional power to identity management and compliance. By Tom Olzak Aug 30, 2016 5 mins Investigation and Forensics Compliance Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe