Building an incident response team (IRT) is a good first step along the path toward effective business continuity event (BCE) management.\u00a0 But the team needs a plan to follow when an event occurs.\u00a0 A documented plan, institutionalized through regular IRT training, enables quick response to service or product delivery failures, mitigating business impact to levels acceptable to management and customers.In this post, we look at the fundamental characteristics of an incident management plan (IMP).\u00a0 We also examine the first of the two cornerstones of effective BCE response: detection.IMP OverviewAccording to BS 25999-1:2006 (Business Continuity Management, Part 1: Code of Practice), the purpose of an IMP is management of the initial phase of an event.\u00a0 The plan should be: Flexible, feasible and relevant Easy to read and understand The basis for managing all possible issues, including stakeholder and external challenges, facing the organization during a BCE Minimally, the IMP should contain first-responder guidelines, including: Task and action lists.\u00a0 These lists are developed during scenario planning sessions and provide checklists for quickly implementing containment and mitigation controls. Emergency contacts.\u00a0 A complete list of internal and external contacts enables quick notification of key management and support personnel.\u00a0 Notification should automatically initiate appropriate elements of the business continuity plan, which is the topic of a future article.\u00a0 Lack of effective communication is one of the best ways to fall short of BCE management objectives.\u00a0 Media response.\u00a0 Small events are easily contained within the walls of the organization.\u00a0 News of large events, however, often finds its way to the public.\u00a0 How your organization deals with public perception affects the extent of damage to the business.\u00a0 Dealing with the media during a crisis should be controlled by the public relations representative on the IRT and produce specific public perception outcomes, as defined by executive management.\u00a0 Business continuity event management consists of five phases: prepare, detect, contain-mitigate, analyze, and remediate-measure.\u00a0 The IMP focuses on detection, containment, and initial efforts to mitigate adverse business effects.DetectionDuring business impact analysis in the preparation phase, various controls are identified to improve the organization\u2019s ability to detect impending events or those already occurring.\u00a0 Early detection is an important part of effective mitigation.\u00a0 However, detection without appropriate response provides little value.Monitoring systems or personnel should initiate an appropriate Task\/Action List when an event is detected.\u00a0 Events which potentially disrupt service or product delivery range from malware spreading across the network, to a failed server, to a natural or political catastrophe.\u00a0 Detection controls\u2014administrative, physical, and technical\u2014help predict failures or identify them early enough to prevent grave consequences to the business or personnel.Detection controls fall into four categories: intrusion detection\/prevention, network infrastructure availability, facility availability, and asset availability (financial, physical, or human).Intrusion detection\/preventionThere are two types of intrusions:\u00a0 physical and technical.\u00a0 A physical intrusion consists of a human or human controlled intruder gaining physical access to restricted facilities or network infrastructure.\u00a0 Detection controls include motion detectors, security cameras, etc.Technical intrusions are usually characterized in one of two ways.\u00a0 In the first, a human gains remote access to network resources.\u00a0 In the second, malware finds its way onto one or more critical or sensitive systems.\u00a0 In either case, sensitive data might leak or critical systems fail.\u00a0 Technical detection controls include intrusion detection\/prevention devices and log management.\u00a0 Effective log management usually consists of aggregation of logs from various network devices.\u00a0 The result is processed by a correlation engine which can use bits and pieces of information collected from disparate systems to create a picture of network activity.Network infrastructure availabilityHard drives, drive arrays, switches, servers, and any other technical device you can imagine will eventually fail if used long enough.\u00a0 The best response results are reached when you can detect potential or existing failures, and prevent unscheduled downtime or quickly restore functionality.Network or system anomaly detection begins with baselining normal operation.\u00a0 This is followed by monitoring network and system behavior, sending alerts when significant deviations from one or more baselines occur.\u00a0\u00a0 In addition, log management efforts, as described above, can supplement monitoring solutions.Facility availabilityDetection controls for facility availability help prevent serious damage to portions of structures or entire buildings.\u00a0 Some events, such as hurricanes or tornados, cannot be prevented.\u00a0 However, knowing they\u2019re coming and initiating existing, tested response plans can reduce their effects on the business.In addition to the nightly weather report, facility detection controls include: Fire detection systems Water detection systems Sensors and alarms Political analysis (just as important as a good weather report when operating in politically unstable areas) Asset availabilityBusiness assets include physical, financial, and human components.\u00a0 In this post, we focus on physical and financial event detection.\u00a0 Human resource issues are included in a future business continuity plan article.Physical assets are susceptible to damage, theft, or unauthorized access to information they contain.\u00a0 Controls which help detect these activities include security guards, security cameras, and inventory and asset tracking systems.Theft of financial assets, including intellectual property, is a real problem for many organizations.\u00a0 Their loss or compromise can have serious consequences for continued business operation.\u00a0 In addition to technical monitoring controls, the following are helpful ways to detect questionable activity: Rotation of duties and mandatory vacations.\u00a0 Getting another set of eyes on daily business processes and outcomes can often reveal anomalous employee behavior.\u00a0 Employee knowledge that others will eventually see their work also helps prevent bad behavior. Security reviews and audits. Background investigations. Financial audits. Management oversight reports. The controls used depend on the results of the business impact analysis, budget, management\u2019s threshold for risk, etc.\u00a0 However, once detection controls are in place, response processes must support them.\u00a0 Building containment and mitigation processes is the topic of next week\u2019s post.