HFIH-01

Do you have a formal incident response plan?

Explanation

This question is asking whether your organization has a documented, structured approach to handling security incidents. A formal incident response plan is a documented set of procedures that outlines how your organization will detect, respond to, and recover from security incidents. Why this is asked in security assessments: 1. It demonstrates preparedness for security breaches or incidents 2. It shows organizational maturity in security practices 3. It indicates whether the organization can effectively contain and remediate incidents when they occur 4. Many compliance frameworks (like NIST, ISO 27001, SOC 2) require formal incident response plans A good incident response plan typically includes: - Clear definitions of what constitutes an incident - Roles and responsibilities during an incident - Communication protocols (internal and external) - Step-by-step procedures for containment, eradication, and recovery - Documentation requirements - Post-incident analysis procedures When answering this question, be honest about the state of your incident response plan. If you have one, briefly describe its key components and how often it's reviewed/tested. If you don't have a formal plan but have some processes in place, explain those while acknowledging the lack of formality. If you have no plan at all, acknowledge this gap and outline any steps being taken to develop one.

Example Responses

Example Response 1

Yes, our organization maintains a comprehensive incident response plan that follows the NIST SP 800-61 framework The plan defines incident categories, severity levels, and outlines the roles and responsibilities of our incident response team It includes detailed procedures for incident identification, containment, eradication, recovery, and post-incident activities The plan is reviewed annually and tested through tabletop exercises quarterly All incidents are documented in our ticketing system, and post-incident reviews are conducted to identify improvements The plan was last updated in March 2023 and is available for review upon request.

Example Response 2

Yes, we have a formal incident response plan that is integrated with our business continuity planning Our plan follows a six-phase approach: preparation, identification, containment, eradication, recovery, and lessons learned We have established an Incident Response Team with representatives from IT, Security, Legal, HR, and Communications departments The plan includes specific playbooks for common incident types (e.g., ransomware, data breach, DDoS) and defines escalation paths based on incident severity We conduct annual training for all team members and perform simulated incident exercises twice yearly Our most recent plan revision was completed in January 2023 following our annual review process.

Example Response 3

No, we currently do not have a formal incident response plan documented Our incident handling is currently managed on a case-by-case basis by our IT team, who respond based on their technical expertise and judgment We recognize this as a gap in our security program and have initiated a project to develop a formal incident response plan within the next quarter We have already engaged a security consultant to help us develop appropriate procedures and are working to define incident categories, response procedures, and team responsibilities In the interim, we maintain communication channels via our IT ticketing system and Slack for reporting and responding to potential security events.

Context

Tab: Infrastructure
Category: Incident Handling