Identifying what is happening
Part of the recovery plan is identifying what is happening and taking steps to mitigate the issue. The NCSC’s 10 crucial questions will help you to identified what has occurred and help you take steps to deal with the incident.
Once you have identified the issue, your Incident Response plan kicks in to action. You’ll also need to confirm that everything is functioning normally, and fix any problems.
Action your Incident Response Plan.
Depending on the incident this could involve:
- replacing or cleaning machines
- changing passwords
- restoring services through backups
- updating software
This may involve you contacting your IT team or external IT provider to help resolve the issue.
Ensure the incident is communicated appropriately, whether that be to staff, wider business, or other stakeholders as part of your Incident Response Plan. You might have to consider secure or alternative communications in the event of a sensitive incident where normal channels are unavailable due to an outage in your system. An example of a set of incident response team roles is shown on the NCSC page “Creating your Cyber Security Incident Response Team“.