Incident and emergency response

While we do our best with risk assessments and security planning including security documentation to reduce the probability of digital threats turning into incidents as well as reducing the possible impact of digital attacks and incidents, we need to prepare for responding to digital incidents.

If incidents turn into emergencies (temporary disruptions) or crisis (longer significant disruptions) depends the kind of incident and the capacities to respond.

It is important, to have an incident response procedure and workflow concerning digital incidents. Incidents should be reported, documented, responded to and learned from.

Three elements are key to incident response:

1 | Documenting and sharing incidents (reporting) 2 | Incident response

3 | Follow-up and learning (knowledge management)

In case of emergencies or crisis, step 2 includes specific crisis or emergency response.

Incident response to digital incidents most probably involves the persons responsible for the IT infrastructure and maintenance of an organisation. Based on their assessment management level would call in a crisis team or alike.

Within our team or organisation we need to have an agreement, when an incident will be called an emergency or crisis and be acted upon accordingly. Most organisations go for a simple indication: If an incident has the capacity to cause or is harming either persons or activities of our team or organisation, it is called an emergency (which can turn into longer crisis later).

Emergency Plans

Depending on the threats faced with the activities, emergency plans need to be in place, to be able to respond timely and without a lot of decision making processes involved. These emergency plans might have a generic Standard Operating Procedure which outlines, who is responsible for what (emergency response teams etc.), when an emergency is called emergency or crisis, what general steps are taken and when an emergency will be ended. Furthermore specific guidelines for specific digital emergencies are needed, like for

Account Breaches Data losses Device losses

Digital attacks on infrastructure or websites Online harrassment

Emergency Response Teams

For emergency response it is important not to have only one responsible team member like the Security Focal Point reacting, but a team, which includes members who:
 

Have the decision-making power (management) Have the technical expertise (IT-responsibility)

Have the capacity to coordinate emergency response (Security Focal Points)

Have the capacity to support with documenting all response steps for rotating coordination and later learning processes

And occasionally we would involve someone internally or externally, who

Has the capacity to emotionally support the emergency response of the team.

Members of Emergency Response Teams need to have sufficient time allocated for preparing for emergencies and their roles as well as being stripped off other tasks during emergencies.

If an emergency turns into a crisis due to length or impact, Emergency Response Teams need to work sustainably in shifts or on rotating basis, so that team members can take time out, regenerate and in this way not create the next internal crisis due to fatigue or burnout.