Incident Response: Plans vs. Policies  


According to a report by The World Economic Forum, existing approaches to cybersecurity are becoming less effective as cybercrime becomes more sophisticated. As cyber threats evolve and businesses grow, they need frameworks for taking action when cybersecurity is, or might become, comprised. This is where incident response comes in. Learn about this concept and its two major components — plans and policies — to enhance cybersecurity at your organization.

What Is Incident Response (IR)?

Incident response (IR) is the processes, policies, and technologies businesses leverage to identify, respond to, and mitigate cyber-attacks. The goal is to prevent these incidents from occurring and work quickly to minimize their impact if they do happen.

IR is needed in any situation where sensitive corporate data or information systems are vulnerable to loss, breach, or other damage. The following are common examples of threats to cybersecurity that may warrant IR:

  • Social engineering
  • Ransomware
  • Supply chain attacks
  • DDoS attacks
  • Cryptojacking

In some cases, incidents originate from inside the business. An employee or partner may deliberately jeopardize information security or leave an opportunity for hackers to get in by not following cybersecurity best practices.

Why Is Incident Response Important?

Cybersecurity threats have a monumental impact. TechTarget cites a study projecting the cost of cybercrime to reach $8 trillion in 2023 and rise to $10.5 trillion by 2025. Companies can expect to encounter some type of cyber threat, and those who have experienced this already know the trouble that can ensue following these attacks.

Incident response is not a guarantee against security challenges, but it does provide a means for taking action. Without IR, your business may be blindsided when computer security incidents occur, potentially costing you more time and money to fix than if you had been prepared. It can also help you assess your current practices to identify weak points, enabling continuous improvement of information security.

What Is Incident Response Planning?

The incident response plan is the formal, written version of the incident response. The document outlines how IT teams should react before, during, and after a computer security incident is confirmed or strongly suspected to have happened. In addition to specific instructions for IR, the plan will detail the processes and technologies needed to contain and eliminate the threat.

The National Institute of Standards and Technology (NIST) lists four components that every IR plan needs to be effective. They include:


The first aspect of creating an incident response plan is determining which personnel make up the IR team. All staff involved must understand their roles and thoroughly know your company’s IR approach to react quickly during events.

Preparation also includes devising and implementing strategies to prevent incidents. NIST offers a Computer Security Incident Handling Guide with many items to consider before problems arise.

Detection and Analysis

In some cases, you might detect a security incident that is about to happen and respond, but in others, you won’t know cybersecurity has been compromised until after the fact. Detection is simply the process of realizing a security event occurred; analysis is verifying what the incident was to ensure you employ the right response.

Notification is integral at this phase. Depending on the data affected, you may need to reach out to the various parties that have a stake in your business, including customers, suppliers, and partners. You might also need to report the situation to law enforcement or government agencies.

Containment, Eradication, and Recovery

This is the most actionable stage of the IR plan. You’ll evaluate the strategies you intend to use to contain and eradicate the threat, considering the time and resources needed to employ the solution and other factors.

Once you remove the threat, you can begin recovery. You may reflect on weaknesses in your cybersecurity structure that led to the incident and make updates accordingly. You’ll also want to train relevant personnel in new approaches to security.

Post-Incident Activity

The final phase allows time to debrief from the incident. You’ll evaluate the event’s damage and contemplate how to prevent similar problems from happening again. It also encourages you to revisit your existing incident response plan and tweak it to account for what you learned from the incident.

An incident response plan is not only beneficial for facilitating a more intentional approach to security incidents. It can also save your employees from making costly mistakes and help you avoid fines or legal action. Moreover, businesses in industries beholden to certain compliance frameworks such as HIPAA, CIS, NIST-CSF, ISO 27001, and others may be in violation without an IR plan.

What Are Incident Response Policies?

What’s the difference between IR plans and IR policies? Unlike an incident response plan that details what to do when an incident occurs, the IR policy is a higher-level governance document that outlines such things as:

  • The requirement for the organization to have a plan in place
  • The major components of what the plan should contain
  • The timeframe and requirements for reviewing the plan to ensure it remains current

While there will inevitably be some crossover between the IR policy and plan, both are needed to ensure a business is covered from both a corporate policy/governance standpoint (i.e., the IR policy) and knowing how to execute a specific response when an event occurs (i.e., the IR plan).

Enhance Cybersecurity with M.A. Polce

As important as incident response is for your business, having strong cybersecurity measures in place can reduce the likelihood of events occurring in the first place. For this reason, it can be advantageous to work with a managed services provider (MSP) and managed security services provider (MSSP) like M.A. Polce.

At M.A. Polce, we offer a range of IT and cybersecurity solutions to small and medium-sized businesses. In addition to a full suite of cybersecurity services, our experienced team also assists with assessment and compliance. Contact us today to learn more about boosting information security at your business.


Share with Your Network

Join Our Newsletter

Download the "How Strong is Your Cybersecurity Culture?" Checklist!