4 Steps to Craft a Security Breach Response Plan

Written by Joe Kozlowicz on Thursday, June 30th 2016

data breach response plan on fileSMBs and enterprises are both juicy targets for hackers, and breach reports continue to proliferate at alarming rates. IT departments are constantly scrambling to patch servers, block vulnerabilities, and monitor for suspicious activity, but keeping up can be difficult.

A data breach response policy is an essential piece of planning for Chief Security Officers and should be known and followed all the way down to beginner sysadmins and IT interns. Here are four steps to help you craft a response to a known security breach.

1) Identify risk areas

The first step to crafting a strong incident response plan is identifying the areas of your IT infrastructure that might be prone to attack. Examine who has access to your systems, their access points, and the technology used on both ends, both software and hardware. If your environment is particularly sprawling, you may want to contract a third party to help map and locate high-risk attack vectors.

For applications, this can entail all paths for data and network traffic to and from servers, storage, and network appliances; the code and software that protects network paths, including authorization, logs, and data validation; and the location of data at rest and in transit, especially encryption keys, essential business data, Personal Identifying Information (PII), health data, or intellectual property.

Be sure to consider both internal and external attacks by looking at the user roles and access levels granted, or in the case of unauthorized attacks, not granted. Think about how and why an attacker might be entering your environment and then classify possible attacks into groups.

Some entry points include:

If you have a disaster recovery plan or previously planned a migration to the cloud or a new data center, you have likely already identified weak points in your infrastructure, critical network configurations, and sensitive data that might need additional protection or compliance measures. You can reuse much of this in your security response plan.


2) Plan and inventory layered security

If you don’t already have security layers in place, now is the time to implement them. Employees must be trained to expect social engineering and to avoid insecure practices like weak passwords. Encryption may be added to your most sensitive information. Patch planning, penetration testing, anti-virus/anti-malware, network sniffing, and active monitoring should all be used as part of a multifactor security shield.

Your layers extend out to any third party service providers as well. Make a complete list of SaaS or IaaS products that you use as well as any other third party connections that might need additional protection, notification of a breach on your end, or could be used as an attack route themselves.


3) Lay out what happens during and after a breach

Continue to train and hammer home the importance of following a set plan for your employees. When a breach is detected (here are some tips on how to know when you’ve been hacked), your responders should follow four steps:

  1. Stop the security breach by halting access, turning off or isolating breached areas, or otherwise minimizing the damage as much as possible. Consider shutting down primary systems and taking advantage of backups or disaster recovery during this period.
  2. Look into what caused the incident: how did the attacker get in? What data was compromised? What security holes need to be plugged?
  3. Restore normal function once the breach has been stopped.
  4. Document and report the incident, including through legal or public channels as required. This may include draft language and draft notification letters to customers, employees, government agencies, and/or the media.


4) Review the plan with involved and tangential parties

Take the plan up and down your management structure for approval and review. C-levels and managers should understand the reasons for the plan and accept any additional expenses required. Your corporate legal team must review the plan in order to address any legal requirements, like the reporting of breached health data and to limit your corporate liability in the event of a breach.

Finally, a team of security experts from your IT staff should be put in charge of the plan as a Security Response Team. Be sure leaders from other departments are aware of the steps this team will take as part of a breach response to limit the disruption to your business.


You’ll want to regularly test and audit your completed IT security response plan to make sure everyone involved knows their roles and to check for overlooked aspects or new security holes. Your IT environment is likely changing regularly, so check and audit your plan at least annually if not more often.

Chat Now