Incident Response Plans

Incident Response plans Direct link to this section

As an Incident Response (IR) Jumpstart customer, you can build your IR plan within the Cyber Essentials portal. If you experience a major cybersecurity incident, IR plans can help you quickly access incident response experts who can assist with identifying and containing cyberattacks, as well as restoring the organization to pre-incident operations.

Examples of major cybersecurity incidents include:

• Ransomware and business email compromise

• Privilege escalation

• Insider threat

• Brute force attack

• Phishing

• Malware

• Denial-of-service

• Man-in-the-middle

• Password attack

Prepare your incident response plan Direct link to this section

1. Build an IR plan in Cyber Essentials.

2. Review the IR plan.

Step 1: Build an IR plan in Cyber Essentials Direct link to this section

1. In the Arctic Wolf Unified Portal, click App Launcher > Cyber Essentials.

2. On the Incident Response plan tile, click Open.

3. On the Response Team tab:

   1. In the Executive Response Leader section, click Add info.
   2. Enter the contact information for the leader.
   3. Click Save.
   4. (Optional) Add additional contacts by clicking Add info next to a labeled section or clicking Add Additional Leader.
   5. (Optional) Enter the stakeholder contact information.
   6. (Optional) Click Save.
   7. Click Continue.

4. On the External Providers tab:

   1. Verify that your IR provider is Arctic Wolf.
   2. (Optional) Add external providers by clicking Add info next to a labeled section or clicking Add Additional IT Provider.
   3. (Optional) Enter the provider information.
   4. (Optional) Click Save.
   5. Click Continue.

5. On the Locations and Networks tab:

   1. In the Primary Business Location section, click Add info.
   2. Enter the address and server information.
   3. Click Save.
   4. (Optional) Add additional locations by clicking Add info next to a labeled section or clicking Add Additional Location.
   5. (Optional) Enter the location or network information.
   6. (Optional) Click Save.
   7. Click Continue.

6. On the Incident Escalation tab:

   1. In the Incident Detection section, click Add info.
   2. Respond to the questions.
   3. Click Save.
   4. Repeat for the subsequent sections, and then click Continue.

7. On the Critical Business Functions tab, do the following for each business function that is high priority in the event of restoration following a security event:

   1. Click Add New Critical Business Function.
   2. Enter details about the business function.
   3. Click Add New System for each supporting system for that function.
   4. Enter details about the system.
   5. Click Save for the system information.
   6. Click Save for the business function.

8. On the Critical Business Functions tab, click Finish.

Step 2: Review the IR plan Direct link to this section

The review process differs depending on if you have an assigned Concierge Security® Team.

Request an IR plan review from a CST Direct link to this section

• Contact your CST and inform them that your IR plan is complete and ask any remaining questions. The CST reviews your IR plan for gaps.

Schedule an IR plan review session Direct link to this section

If you do not have an assigned CST, you will receive an email that includes a link to schedule the session with an IR Director.

1. On the scheduling page, select a date and time.

2. Click Confirm.

3. Provide your name, email, organization, and any preliminary questions or topics you want to cover during the session.

4. Click Add Guests to add other attendees.

5. Click Schedule Event.

You will receive a confirmation email and calendar invite for the selected date and time.

At the scheduled time, click the Zoom meeting link in the calendar invite.