Goals for Incident Response

When a Security incident occurs, timely and thorough action to manage the impact of the incident is a
critical to an effective response process. The response should limit the potential for damage by
ensuring that actions are well known and coordinated. Specifically, the response goals are:
1. Preserve and protect the confidentiality of constituent and employee information and ensure the
integrity and availability of Achala IT Solutions systems, networks and related data.

2. Help Achala IT Solutions systems personnel recover their business processes after a
computer or network security incident or other type of data breach.

3. Provide a consistent response strategy to system and network threats that put Achala IT
Solutions systems data and systems at risk.

4. Develop and activate a communications plan including initial reporting of the incident as well as
ongoing communications, as necessary.

5. Address cyber related legal issues.

6. Coordinate efforts with external Computer Incident Response Teams and law enforcement.

7. Minimize Achala IT Solutions systems reputational risk.

Purpose and Scope

This practical guidelines on responding to cyber security and data breach incidents in a consistent and
effective manner. The plan establishes a team of first responders to an incident with defined roles,
responsibilities, and means of communication.
While this plan is primarily oriented around cyber-related incidents and breaches, it can also be utilized
for data breaches that are not related to computer systems.

Incident Response Team (IRT)

A team comprised of company staff, advisors, and service providers shall be responsible for
coordinating incident responses and known as the Incident Response Team (IRT). The IRT shall
consist of the individuals listed in Appendix A, having the noted roles and responsibilities. This team
will have both primary members and secondary members. The primary members of the IRT will act as
first responders or informed members to an incident that warrants IRT involvement, according to the
incident’s severity. The entire IRT would be informed and involved in the most severe incidents.
IRT members may take on additional roles during an incident, as needed. Contact information,
including a primary and secondary email address, plus office and mobile telephone numbers shall be
maintained and circulated to the team. The IRT will draw upon additional staff, consultants or other
resources, (often referred to as Subject Matter Experts – SME’s) as needed, for the analysis,
remediation, and recovery processes of an incident. The Information Technology (IT) function plays a
 Incident Response Plan

significant role in the technical details that may be involved in incident detection and response and can
be considered an SME in that regard.
There shall be a member of the IRT designated as the Incident Response Manager (IRM), who will
take on organizational and coordination roles of the IRT during an incident where the IRT is activated
for response to the incident.

Incident Response Life Cycle Process

Incident response management is an on-going process with a cyclical pattern. The specific incident
response process elements that comprise the Incident Response Plan include:

1. Preparation: The on-going process of maintaining and improving incident response capabilities
and preventing incidents by ensuring that systems, networks, applications, and data handling
processes are sufficiently secure, and employee awareness training is in place. Practice
exercises (Table-top Exercises) for the IRT are conducted periodically, where various incident
scenarios are presented to the Team in a practice session.

2. Identification: The process of confirming, characterizing, classifying, categorizing, scoping, and

prioritizing suspected incidents.

3. Notification: Alerting IRT members to the occurrence of an incident and communicating

throughout the incident.

4. Containment: Minimizing financial and/or reputational loss, theft of information, or service

disruption. Initial communication with constituents and news media, as required.

5. Eradication: Eliminating the threat.

6. Recovery: Restoring computing services to a normal state of operation and the resumption of
business activities quickly and securely. Provide reputational repair measures and news
media updates, if needed. Provide credit monitoring services to affected constituents, or other
remediation measures, as appropriate.

7. Post-incident Activities: Assessing the overall response effectiveness and identifying

opportunities for improvement through ‘lessons learned’ or mitigation of exploited weaknesses.
Incorporation of incident’s learnings into the cyber fortification efforts and the response plan, as
appropriate.

These process elements are depicted in Figure 1, showing the closed loop nature of the process, in
that the learnings from any prior incidents are used to improve the prevention and response process of
potential future incidents.

Incident Response Plan Page 2of 10 <Date>

of 11 <Version #>
 Incident Response Plan

Incident Response Life Cycle

Preparation

Post-Incident Identification

Recovery Notification

Eradication Containment

Figure 1
Incident Occurrence & Awareness
The way an incident becomes known will have an impact on the response process and its urgency.
Examples by which Achala IT Solutions becomes aware of an incident include, but are not limited to
the following:
1. Achala IT Solutions discovers through its internal monitoring that a cyber incident or data
breach has occurred.

2. Achala IT Solutions is notified by one of its technology providers of an incident or becomes

aware of the same.
3. Achala IT Solutions is made aware of a breach through a constituent or a third-party
informant.
4. Achala IT Solutions and the public are made aware of the incident through the news media.

Incident Response Plan Page 2of 10 <Date>

of 11 <Version #>
 Incident Response Plan

Incident Response Process Detail

The response process, at a detail level, for an incident includes 5 of the 6 life cycle phases, as it
excludes the Preparation phase. The detailed steps and general timing of an incident response are
outlined below. The IT function is specifically called out as an involved party, separate from other
SME’s.

Process
Phase
& Process Detail Steps Involved Parties
Approximate
Timing
1. Identify and confirm that the suspected or reported
incident has happened and whether malicious activity
Identification IT and any
is still underway.
monitoring
2. Determine the type, impact, and severity of the incident
(Hours) service provider
by referring to Appendices B, C, and D.
3. Take basic and prudent containment steps.
4. Inform or activate the IRT, based on the severity of the
incident, as outlined in Appendix D, and provide the type,
Notification impact, and details of the incident to the extent that they
are known. IT & IRT
(Hours –
5. Determine the need for Subject Matter Experts (SME)
1 Day)
to be involved in the Containment, Eradication, and
Recovery processes.
6. Take immediate steps to curtail any on-going malicious
Containment
activity or prevent repetition of past malicious activity.
IRT, IT, SME’s
7. Re-direct public facing websites, if needed. Provide
(Hours-2 Days)
initial public relations and legal responses as required.
8. Provide full technical resolution of threat and related
Eradication
malicious activity. IT, IRT, SME’s
(Days -Weeks)
9. Address public relations, notification, and legal issues.
10. Recover any business process disruptions and re-gain
Recovery normal operations.
SME’s, IRT
11. Address longer terms public relations or legal issues,
(Weeks -Months)
if required, and apply any constituent remedies.
12. Formalize documentation of incident and summarize
Post-incident learnings. IRT
(Months)
13. Apply learnings to future preparedness.

Communication Methods
Company communication resources (email, phone system, etc.) may be compromised during
a severe incident. Primary and alternate methods of communication using external
infrastructure will be established and noted on the IRT member contact list to provide specific
methods of
Incident Response Plan Page 10 of 10 <Date>
of 11 <Version #>
 Incident Response Plan

communication during an incident. The IRT and any other individuals involved in an incident
resolution will be directed as to which communication method will be used during the incident

Information Recording
Information recording is very important during an incident, not only for effective containment and
eradication efforts, but also for post-incident lessons learned, as well as any legal action that may
ensue against the perpetrators. Each member of the IRT shall be responsible for recording information
and chronological references about their actions and findings during an incident, using the IRT Incident
Record Form in Appendix E.

Incident Response Exercises

The IRT should conduct ‘table-top’ exercises to practice the response process on a periodic
basis, but at least annually, so all members of the IRT are familiar with the activities that would
occur during an actual incident and their related responsibilities. The exercises may provide
the opportunity for enhancing coordination and communication among team members.

Summary
No perfect script can be written for the detailed activity encountered and decisions that will need to be
made during an incident, as each incident will have its own uniqueness. This plan shall serve as a
framework for managing cyber security and data breach incidents, allowing the details of confirmation,
containment, eradication, and communication to be tailored to fit the specific situation.

Incident Response Plan Page 10 of 10 <Date>

of 11 <Version #>
 Incident Response Plan

Appendix A – ACHALA IT SOLUTIONS - Incident Response Team (IRT)

Team Members and Roles - Substitute staff names and titles below as appropriate. Not all the positions may be
available in your organization and/or the same person may have multiple roles within the IRT.
Primary Team Members

1. KRISHNA G - <Head of Information Technology>

a. Maintain proactive cybersecurity policies and procedures
b. Discover and/or verify cyber incidents
c. Notify IRT members of incidents and provide updated
d. Coordinate computer forensic and technical remediation activities
e. Apply corrective actions to technology infrastructure

2. <KRISHNA> (IRM)
a. Coordinate communications and activities of the IRT when it is activated

3. <Executive level manager in charge of financial management>

a. Financial impact and financial data exposure

4. <Executive level manager in charge of external communications and public relations>

a. Public relations
b. News media management
c. External and internal communication

5. SRAVANI<Executive level manager in charge of human resources>

a. Communication to employees
b. Employee data exposure issues

6. <Executive level manager in charge of company operations>

a. Operational impact and/or overall data exposure assessment

7. <Executive level manager in charge of physical security>

a. Building access and control

Secondary Team Members

8. <Security event monitoring vendor and/or computer forensics vendor>

a. Detection
b. Mitigation
c. Technical Forensics

9. <Legal representative>
a. Legal advisor
b. Contractual matters

10. <Public relations vendor>

a. Public relations advisor

11. <Cyber insurance provider>

a. Cyber Insurance advisor

Contact information and communication methods for the IRT members should be distributed to the team separately as
confidential information.

Incident Response Plan Page 10 of 10 <Date>

of 11 <Version #>
 Incident Response Plan

Appendix B - Incident Categorization

COMMON CATEGORIES OF CYBER INCIDENTS

Incident Type Type Description

When an individual or entity gains logical or

physical access without permission to a
Unauthorized Access
company network, system, application, data,
or other resource.
An attack that successfully prevents or
impairs the normal authorized functionality of
Denial of Service (DoS, DDoS)
networks, systems, or applications by
exhausting resources.
Successful installation of malicious software
(e.g., a virus, worm, Trojan horse, or other
Malicious Code
code-based malicious entity) that infects an
operating system or application.
When a person violates acceptable
Improper or Inappropriate Usage computing policies, including unauthorized
access or data theft.
An incident where it is suspected that
Suspected PII Breach Personally Identifiable Information (PII) has
been accessed.
An incident that involves a suspected loss of
sensitive information (not PII) that occurred
Suspected loss of Sensitive
because of Unauthorized Access, Malicious
Information
Code, or Improper (or Inappropriate) use,
where the cause or extent is not known.

Incident Response Plan Page 10 of 10 <Date>

of 11 <Version #>
 Incident Response Plan

Appendix C – Incident Impact Definitions

Potential Impact Examples
General
Security Objective
Description Low Medium High
Confidentiality: The unauthorized
Involving or
Preserving disclosure of
Limited to a affecting a
restrictions on information could be
single or group of Users,
information access expected to have the A severe breach
several Users resulting in
following adverse effect of proprietary
and disclosure, or computers access to
on organizational information with
including means for operations,
in an isolated proprietary
external
protecting personal fashion, with information.
organizational assets, exposure.
privacy and easy Limited or no
or individuals.
proprietary remediation external
information. exposure.
Integrity: The unauthorized
Guarding against modification or An on-going
improper destruction of Inadvertent or improper data A massive
information information could be non-malicious alteration act (or alteration or
expected to have the alteration or series of acts) of destruction of
modification or
following adverse effect deletion of malicious or company data of
destruction; on organizational company negligent nature a malicious or
includes ensuring operations, data that is that will having a obstructive
information non- organizational assets, or easily moderate nature.
repudiation and individuals. remediated. business impact.
authenticity.
Availability: The disruption of
A widespread
Ensuring timely and access to or use of Isolated outage
outage or
reliable access to information or an or
inaccessibility of Severe outage or
and use of information system inaccessibility
a primary inaccessibility of
could be expected to affecting a
information systems. business system the company
have the following limited number
lasting more business
adverse effect on of Users for a
than 2 hours, systems lasting a
organizational short amount
but less than a day or more.
operations, of time
day
organizational assets, (< 2 hours)
or individuals.

Incident Response Plan Page 10 of 10 <Date>

of 11 <Version #>
 Incident Response Plan

Appendix-D IRT Incident Severity & Response Classification Matrix

Severity Typical Example of Incident

Level Incident Impact Response Activate
(5=Most Characteristics IRT?
Severe)

DDoS attack against An enterprise-wide attack IRT and the IRM direct
on-premise or hosted involving multiple response. Remediation

5 Servers. Active attacks

against network
infrastructure. Access to
departments that prevents
access to systems and
disrupts business
coordinated by IT, Forensics,
and SME’s.
Possible Legal Counsel,
Full Team
Active

internal company data by operations. Access to or Law Enforcement

nefarious parties. theft of proprietary data. involvement
Affects data or services for a Compromised business Response coordinated by
group of individuals and application. Improper or IRM, IT, and SME’s; IRT Full Team

4 threatens sensitive data, or

involves accounts with
elevated privileges with
unauthorized access to
data.
advised. Legal Counsel
specifically notified if there is a
PII breach.
Informed
and
Advised
potential threat to sensitive
data
Affects data or services of a Employee computer or Response coordinated by
single individual, but involves account with sensitive IT or IRM, with information

3
Primary
significant amounts of data access sent to the IRT members.
Team
sensitive data, may include compromised, physical Legal Counsel notified if a PII
Informed
PII. theft of device, breach
unprotected media, or
hard copy data.
Affects data or services of a Compromise of an Response coordinated by

2
Primary
group of individuals with no account or device with IT. IRM advised and IRT
Team
sensitive data involved. shared folder access. informed. IT documentation
Informed
process used to record
findings.
Affects data or services of a Compromised computer Documentation of issue and

1
single individual with no with no findings.
sensitive data beyond them; sensitive data etc. Response/remediation No
focus is on coordinated by
correction and future IT, IRM advised of incident.
prevention
Occurrences of very minor or Impaired computer Documentation through

0 undetermined focus, origin

and/or effect for which there
is no practical follow-up
requiring review of system
access logs, AV scans, or
other repairs.
normal IT support processes
to record actions and
resolution. Reset passwords
No

as needed.

Incident Response Plan Page 10 of 10 <Date>

of 11 <Version #>
 Incident Response Plan

Appendix-E IRT Incident Record Form

Incident:
Discovery Date:
Recorded By: Page of Pages

Recorded Information and Events

Date/Time Detail

Incident Response Plan Page 10 of 10 <Date>

of 11 <Version #>
 Incident Response Plan

Document Version History

Version Date Changes/Notations

1.0 <Insert Release date> Initial release

Incident Response Plan Page 10 of 10 <Date>

of 11 <Version #>