How to create an incident response plan

September 25, 2014

By Holly Vandervort, NAID Chief Compliance Officer

One of the more game-changing additions to the NAID AAA Certification Program in 2014 was the requirement for certified companies to develop a written incident response plan for suspected or known security incidents. The NAID Certification Rules Committee developed this criterion in direct response to data protection regulations that require all security incidents to be thoroughly investigated and documented. It is designed to dovetail with the 2012 certification program addition that requires employees to notify management of data breaches; once a security incident is reported management has a legal and ethical responsibility to investigate the occurrence.

To help companies implement an incident response plan, NAID has a developed a Sample Incident Response Plan Form for documenting all incidents and their outcomes. This form includes the following elements:

• Incident information and descriptions: General information about how the incident was reported, and by whom, as well as where the incident occurred and which clients may be affected.
• Incident investigation: Description of the incident, the timeline, and notes regarding the occurrence. The investigation should also determine whether confidential material was accessed by unauthorized individuals.
• Remediation: The actions taken by management as a result of the investigation. This may include notification to clients if a breach is confirmed, as well as steps taken to reduce the likelihood of a reoccurrence, such as retraining employees or revision of policies.

The above elements should also be added to written policies and procedures with specific company practices and policies to follow during the informational, investigative, and remediation stages. Please direct all questions to the certification department at [email protected] or 602-788-6243.