This draft model cyber incident response plan (IRP) outlines how organizations can prepare for and respond to cyber attacks, data breaches, and other information security incidents. This is intended to provide guidance for developing an IRP but is not a comprehensive guide. Every organization will have different risks and unique issues which should be considered when developing an IRP,

Each incident presents unique facts and circumstances, making it difficult for organizations to prepare for every type of event that may arise. An incident response plan (IRP) provides a standard framework that helps organizations prepare for and effectively handle cyber attacks, data breaches, and other information security incidents.

This model IRP:

  1. Provides guidance for developing an IRP as applicable Canadian laws, regulations, and best practices may require for various organization types, including those mandated to maintain a comprehensive written information security program (WISP).
  2. Provides an outline of how organizations can prepare for and address information security incidents.
  3. Outlines the key elements that organizations should consider in developing an IRP.

Legal basis:

Some Canadian jurisdictions have enacted legislation requiring mandatory notification of breaches of security and/or unauthorized access, use or disclosure of personal information. These require timely notification to regulators and individuals of breaches which may give rise to a real risk of harm. It may be difficult for an organization to effectively comply with these requirements without an effective IRP.

Organizations also have obligations to mitigate privacy breaches in accordance with common law principles and may face liability for failing to do so. An IRP can help address responsible and timely mitigation.

An IRP will also help the organization demonstrate that it takes reasonable steps to protect personal information and other sensitive or confidential information, especially if an information security incident gives rise to potential civil claims or regulatory enforcement.

Overall, an established and practiced IRP will help an organization respond more rapidly and effectively to information security incidents.

"Incident" vs. "Breach"

We have intentionally used the term "incident" rather than "breach" or "data breach" in this draft. Organizations should be careful when using the term "breach" as it may have unintended legal implications. In some circumstances, "breach" alone or in conjunction with "privacy" or "security safeguards" have a legal meaning.

Not all, in fact many, incidents do not have legal implications. Some may be appropriately addressed through implementation of the IRP and some do not rise to the level necessary for IRP implementation.

Record keeping

Some legislation (PIPEDA as an example) requires organizations to keep records of all breaches of security safeguards of personal information under its control – whether there is a real risk of significant harm or not.

The following outline should be used to consider further the issues that require completion for the IRP.

1. Purpose. The purpose of this cyber incident response plan ("IRP") is to provide a structured and systematic incident response process for all information security incidents (as defined in Section 4, Definitions) that affect any of [ORGANIZATION]'s information technology ("IT") systems, network, or data, including [ORGANIZATION]'s data held or IT services provided by third-party vendors or other service providers.

1.1 Specifically, [ORGANIZATION] intends for this IRP to:

  1. Define [ORGANIZATION]'s cyber incident response process and provide step-by-step guidelines for establishing a timely, consistent, and repeatable incident response process.
  2. Assist [ORGANIZATION] and any applicable third parties in quickly and efficiently responding to and recovering from different levels of information security incidents.
  3. Mitigate or minimize the effects of any information security incident on [ORGANIZATION], its [customers/clients], employees, and others.
  4. Help [ORGANIZATION] consistently document the actions it takes in response to information security incidents.
  5. Reduce overall risk exposure for [ORGANIZATION].
  6. Engage stakeholders and drive appropriate participation in resolving information security incidents while fostering continuous improvement in [ORGANIZATION]'s information security program and incident response process.

1.2 [[ORGANIZATION] developed and maintains this IRP as may be required by applicable laws and regulations [, including [APPLICABLE LAWS AND REGULATIONS]].]

2. Scope. This IRP applies to [all [ORGANIZATION] business groups, divisions, and subsidiaries; their employees, contractors, officers, and directors; and [ORGANIZATION]'s IT systems, network, data, and any computer systems or networks connected to [ORGANIZATION]'s network /[DEFINE SCOPE]].

2.1 [Other Plans and Policies. [ORGANIZATION] may, from time to time, approve and make available more detailed or location or work group-specific plans, policies, procedures, standards, or processes to address specific information security issues or incident response procedures. Those additional plans, policies, procedures, standards, and processes are extensions to this IRP. [You may find approved information security policies and other resources at [RESOURCE LISTING].]]

3. Accountability. [ORGANIZATION] has designated [TITLE/PERSON] to implement and maintain this IRP (the "information security coordinator").

3.1 Information Security Coordinator Duties. [Among other information security duties [, as defined in [ORGANIZATION]'s written information security program ("WISP") available at [WISP REFERENCE],] the information security coordinator/The information security coordinator] shall be responsible for:

  1. Implementing this IRP.
  2. Identifying the incident response team ("IRT") and any appropriate sub-teams to address specific information security incidents, or categories of information security incidents (see Section 5, Incident Response Team).
  3. Coordinating IRT activities, including developing, maintaining, and following appropriate procedures to respond to and document identified information security incidents.
  4. Conducting post-incident reviews to gather feedback on information security incident response procedures and address any identified gaps in security measures (see Section 11, Post-Incident Review).
  5. Providing training and conducting periodic exercises to promote employee and stakeholder preparedness and awareness of this IRP (see Section 12, Plan Training and Testing).
  6. Reviewing this IRP at least annually, or whenever there is a material change in [ORGANIZATION]'s business practices that may reasonably affect its cyber incident response procedures (see Section 13, Plan Review).

3.2 Enforcement. Violations of or actions contrary to this IRP may result in disciplinary action, in accordance with [ORGANIZATION]'s information security policies and procedures and human resources policies. Please see [HR POLICIES REFERENCE] for details regarding [ORGANIZATION]'s disciplinary process.

To read article in full, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.