Cyber Incident Response Plan – Master

BCP
Written By Rupert Gough

Last updated: March 2025
If you’re dealing with an active cyber incident, call 0800 WITNESS immediately and proceed to the steps in Section C – Procedure.

Section A – Preface

Purpose

This plan outlines MTG’s procedures for responding to cyber incidents, including unauthorised access, privacy breaches, and cyberattacks. It follows the NIST SP 800-61 Rev. 2 framework and is divided into three sections:

  • Section A: Preface

  • Section B: Policy

  • Section C: Procedure

Document Control & Distribution

All members of the Cyber Incident Response Team (CIRT) are issued a printed and up-to-date copy of this plan. This plan aligns with incident response best practices and regulatory obligations.

Testing and Updates

The plan is reviewed:

  • After any major cyber incident or simulation (Post-Incident Review)

  • After any failed test or audit

  • At least annually

The Incident Response Lead is responsible for:

  • Initiating annual testing (e.g. tabletop exercises or real-incident reviews)

  • Assigning a note-taker to record improvement areas

  • Distributing updated versions to all CIRT members

Section B – Cyber Incident Response Policy

1. Scope and Policy

All staff must follow the procedures in this document when a cyber incident or privacy breach is discovered. Our policy prioritises compliance with the Privacy Act 2020, and protection of staff, clients, and company data.

2. Incident Types

  • Cyber Incident: Includes unauthorised access, malware, denial-of-service, or data theft.

  • Privacy Breach: Any unauthorised or accidental access to personal information.

3. Incident Prioritisation

Incidents are prioritised based on:

  • Impact (e.g. financial, legal, reputational harm)

  • Urgency (how quickly the issue needs to be resolved)

4. Reporting External Incidents

Depending on severity, incidents may be reported to:

5. Monitoring Tools

  • Dark Web Monitoring – for compromised data

  • Social Media Monitoring – for brand/reputational issues

  • Credit Monitoring – for potential financial harm

  • Auto Communication Tools (DBACT) – for breach notifications

Section C – Incident Response Procedure

This section outlines the four NIST phases of cyber incident response.

Phase 1 – Preparation

Assign and train the Cyber Incident Response Team (CIRT) with defined roles:

  • Incident Controller – Overall command

  • Response Lead – Oversees planning/testing

  • Coordinator – Records actions and liaises with parties

  • Cybersecurity Lead – Technical security advisor

  • Technology Lead – Oversees IT systems

  • Applications Lead – Ensures continuity of critical software

  • Executive – Authorises spend, confirms key decisions

  • Legal, Risk, Privacy Officers – Manage compliance and reporting

  • PR/Communications – Issues internal/external updates

  • People & Culture – Supports team wellbeing

  • Forensic Expert & SMEs – Assist as needed

Phase 2 – Detection & Analysis

  1. Report Incident to the Service Desk or CIRT Controller

  2. Raise a ticket – Record all known details

  3. Notify CIRT

  4. Assess Incident – Is this an ongoing issue or operational error?

  5. Privacy Risk Check – Determine if personal information was breached

  6. Notify External Agencies if serious harm is possible

  7. Prepare Communications using pre-approved templates (DBACT)

Phase 3 – Containment, Eradication & Recovery

  1. Contain Threat

    • Lock accounts

    • Disconnect affected systems

    • Preserve forensic evidence

  2. Engage Third Parties if required

    • Incident Response Solutions: 0800 WITNESS or Campbell McKenzie – 021 779 310

  3. Eradicate Malware/Threats

    • Follow playbooks to clean and secure systems

  4. Recover Systems

    • Restore operations

    • Implement new controls

    • Review for recurring issues

  5. Document Findings

    • Impact summary

    • Affected systems

    • Lessons learned

    • Update PR/comms

Phase 4 – Post-Incident Activity

  • Conduct Lessons Learned Session

  • Update this Plan and playbooks accordingly

  • Evaluate response performance (people, systems, vendors)

  • Finalise incident report and present to the Board

Incident Response Firm Contact

Incident Response Solutions

  • Phone: 0800 WITNESS or 021 779 310 (Campbell McKenzie)

  • Email: support@incidentresponse.co.nz

  • Website: incidentresponse.co.nz

  • Location: Level 6, 41 Shortland Street, Auckland

Rupert Gough
Previous

Definitions: BCP Terminology
Next

Critical Functions of BCP