All organizations depend, at least in part, on their data to carry out day-to-day operations. Yet new, high-profile data breaches are reported every week, and the costs of those breaches continue to rise

The core elements of an incident response program are straightforward and quick to establish. Let’s take a look at the critical processes within an incident response program that may be easily implemented in your organization.

Critical Processes of an Incident Response Program

A structured response assures consistent incident research and action. Responses to security incidents that may involve data loss typically follow a workflow such as this:

  • Research the background details of the incident
  • Consult with incident response advisory resources
  • Develop, communicate and implement a resolution plan
  • Follow-up to identify improvements

Of course an Incident Response Program needs to be established before an incident is detected and a response is needed. Let’s start there.

Setting Up an Incident Response Program

Here’s how to quickly establish an incident response program:

    1. Identify an incident response leader who has good knowledge of your business and who is an effective and responsible problem solver.
    2. Assemble and empower a team of critical stakeholders, with clearly defined roles and responsibilities.
    3. Draft your incident response process and establish documentation standards. The key is consistency in how you respond to incidents. There’s no need for a complicated plan. Just make sure it works for your organization’s culture.
    4. Connect people and tools with the needed capabilities from around your organization. Chances are, much of what you need is already in place.
    5. Understand the most significant capability gaps relative to your draft incident response process and build a plan to address those gaps. Start with a minimum viable process, and then enhance it over time.

Detection of Events

New incident discovery comes from many different sources:

  • Internal users
  • Internal monitoring tools
  • Internal risk-assessment tools
  • External customer
  • External entities
  • Social media

The best place to start? Employee awareness. Make sure your workforce understands the security risks to the business and what to look for. It’s easy to overlook an anomaly when you believe everything is safe.

Second line of defense – automation. Monitoring tools, including analytics of anomalous traffic or user behavior, are invaluable.

Finally, keep an eye out on social media. Bad news travels fast. You don’t want to be the last to know.

Triage and Containment

The triage process begins as soon as a data incident is detected and it involves research to understand the situation and to determine which actions need to be taken and when. Ask the following questions:

  • What is the nature of the event?
  • Is the event ongoing?
  • Is the event known or likely to be known outside the organization?
  • Which systems, applications, products, or services have been affected?
  • Is customer, personal, or other sensitive data actually or potentially exposed or compromised?

“Containment” refers to all efforts to stop, contain, and control the incident and data loss. These actions need to be taken as soon as practically possible to prevent further data compromise.

Response Plans

As soon as the necessary steps have been taken to contain and control an incident, document all the actions taken and produce a response plan. Your plan may include: 

  • Actions to remediate
  • Notifications
  • Communications, both internal and external

It is important to understand the root cause, nature, and scope of the incident before creating the response plan.


After completing the activities in the response plan, review the status of the incident and summarize the lessons learned. Post-incident actions can improve future data security practices.

It makes sense to select a risk posture when it comes to post-incident action. In some cases, many actions will need to be undertaken, not all of which will provide the same levels of improvement, equivalent increases in security, or relative returns on investment.


The operation of your organization depends on its data.

Build an effective detection and response plan so that you can avoid fines and remediation costs, protect your organization’s reputation and employee morale, and maintain business.

The simplicity of the incident response process can be misleading. We also recommend tabletop exercises as an important step in pressure-testing your program.

For More Information

To learn more, please visit the Trust and Transparency Center.

The impact of a data breach.

cisco data protection essentials


Michelle Fleury

Senior Director

Supply Chain Transformation