Question

Respond to the following in a minimum of 175 words:

An incident response plan (IRP) is a set of procedures to help an organization detect, respond to, and recover from security incidents.

List the roles and responsibilities that are included in an IRP.

Discuss how your organization (from Week 1) may respond to at least one cyberattack. The organization should have a response in accordance with the IRP.

I had chosen Health care

Answer 1

A Cyber Security Incident Response Plan (CSIRP) or simply an IRP is a set of procedures to help an organization detect, respond to, and recover from security incidents.

Below is the list of the roles and responsibilities included in an Incident Response Plan (IRP).

Our organization or any organization in general, for a cyberattack, may respond as below in accordance with the IRP:
* In general, the IRP from a broad and overall perspective and objective should manage the company's operations, reputation, and legal fallout from the incident, attack, event, or crisis.
* The IRP should be strong, vigorous, and stringent.
* IRP should include people in appropriate teams per their teams' respective functions to respond to the incident.
* Everyone should respect IRP.
* IRP should be effective.
* IRP should be beneficial to the company after its implementation.
* IRP should have security best practices.
* The IRP should have its own defined process.
* The IRP should have three different teams included and involved in incidents the company goes through:
1) The Computer Security Incident Response Team (CSIRT)
2) The legal expert.
3) The Public Relations (PR)/communications expert.

* IRP should make the organization to confidently face the problem, event, or situation during and after the incident.
* IRP, in general, should have:
1) Preparation of users, employees, and IT staff to handle the incident.
2) Identification of an incident of it being a real one or a fake or prank.
3) Containment in limiting the damage, loss, and downtime, and isolating affected systems and networks stopping any further damages.
4) Eradication of the affected systems and determining the root cause of the incident.
5) Recovery of the affected systems back into the production environment ensuring no further threats or attacks from those systems would occur.
6) Lessons learned through documenting the incidents and the steps taken to resolve the same, analyzing and learning from the incident to improve and better any response efforts in case of any potential future incidents.

* It should define and create a customized blueprint to quickly, effectively, and efficiently respond and recover from the incident.
* IRP should be considered very important, and necessary time, effort, and investment should be allotted for the same.
* The organization should have an Incident Response Team (IRT) of its own.
* The organization would and should first create and maintain an IRP.
* It should first detect the incident, attack, or systems and data breach.
* It should follow proper protocol to isolate and contain the threat.
* If possible, it should prevent the systems from being attacked and breached more by the incident.
* It should reduce the bad or negative effects of the incident.
* It should gauge, measure, predict, analyze, and determine when and how bad the damage could be.
* The IRP should protect the systems that are not yet affected, attacked, or breached.
* For online cyber-attacks in a company's network, one could probably make the systems go offline accordingly until the incident is resolved.
* Once the incident is detected, it should be reported to the IRT.
* It should submit, log, investigate, and analyze incidents to resolve it.
* It should manage all its internal communications and updates during or right after the incidents.
* The company should communicate with its employees, shareholders, and other stakeholders, clients, partners, customers, public, and the press about incidents or data breaches accordingly.
* The company as a whole should remediate incidents by recovering from, restoring from, and reversing, or undoing the incident.
* It should recommend and even implement technology, processes, procedures, policies, governance, and training changes after security incidents.
* It should limit the effects of the incident or event.
* It should recover from the incident or event to normal work.

In the case of a Health care or Health Sector organization, a company, or a hospital should, per law, have a privacy officer hired for themselves, where the officer should show respect of the privacy legislation in the constituent. The Health sector organization should adhere, abide by the Personal (patient's or customer's) Health Information Protection Act. This privacy officer is integrated into information security planning and is attributed to his own responsibilities during IRP.