The plan should include a mission statement, strategies and goals, an organizational approach to incident response, metrics for measuring response capability, and a built-in process for updates, according to a revised version of NIST’s Computer Security Incident Handling Guide.
"This revised version encourages incident teams to think of the attack in three ways. One is by method—what's happening and what needs to be fixed. Another is to consider an attack's impact by measuring how long the system was down, what type of information was stolen and what resources are required to recover from the incident. Finally, share information and coordination methods to help your team and others handle major incidents", explained NIST researcher and co-author Tim Grance.
The guidance recommends that information about threats, attacks, and vulnerabilities be shared by organizations before attacks so each can learn from others. By reaching out to the trusted group during an attack, one of the partners may recognize the unusual activity and make recommendations to quash the incident quickly. Also, some larger agencies with greater resources may be able to help a smaller agency respond to attacks.
The guide provides recommendations for agencies to consider before adding coordination and information sharing to the incident response plan, including how to determine what information is shared with other organizations and consulting with legal departments.