Cybersecurity professionals often say, “it isn’t a question of if you’ll experience an incident, it’s a matter of when.” Unfortunately, it’s more than just another clichéd phrase, as we see from the headlines every day. When a cybersecurity incident strikes, you need a well-prepared staff, coupled with a battle-tested plan.
A recent cybersecurity report found that close to 25 percent of organizations surveyed responded that they didn’t have an incident response (IR) plan in place. Of those that did, 51 percent said their plans “were not applied consistently across the enterprise or, worse, their plan was informal or ad hoc.”
In this blog, we’ll discuss six ways to create and maintain an actionable incident response plan.
1. Use Action Words
This might seem obvious, but it’s almost always the most overlooked aspect of any plan. When you’re writing, use active voice as much as possible in the main body of your text. For example, rather than talk about “containment,” use the word in its imperative form, “contain.” Instead of writing, “The incident response team is required to document each step in the investigation following a cybersecurity incident,” you could write, “The organization requires incident response team members to document each step in the investigation following a cybersecurity incident.” This approach won’t work for all sections of your plan but should be a focus as you write it.
2. Limit the Gold Plating
When your responders and incident managers look for guidance on how to handle a situation, they should be able to find the information they need right away. In other words, don’t make them go through a preface, scope page, objectives page, a biography of each member of the team, introduction, letter from the CEO, preamble, a definition of terms, a signed poster from the Backstreet Boys, redefinition of terms, legal warning, a letter from the President of Antarctica—you get the idea.
Limit your boilerplate information to one, maybe two pages at the most. When your responders need to act fast, they should know exactly where to look to find what they need.
3. Practice the Plan
It’s important to exercise your IR plan full of action words. I recommend running four exercises a year, roughly one a quarter, across the organization. At least one exercise should be cybersecurity-focused, one should concentrate on a natural disaster, and the other two should revolve around the issues du jour.
I also recommend four exercises a year that are specific to your IT and security teams: one full-scale functional exercise, one tabletop exercise and two no-notice drills on a hot topic. Ransomware, anyone?
4. Avoid Scope Creep
When people find out that C-suite executives have their eyes on an incident response plan, they often try to toss everything, including the kitchen sink, into it. I’ve seen all types of policy initiatives added to IR plans and power grabs attempted that would rival the porkiest of pork-barrel legislation. Remember that your IR plan shouldn’t be the place where your staff tries to sneak in ideas for implicit approval to receive funds or reshape cybersecurity policy.
5. Assume the IR Plan is Only a Starting Point
You shouldn’t and can’t plan for any and all scenarios. Acknowledge in the beginning that your IR plan isn’t going to cover everything from a meteor collision to a lightning strike in a firecracker factory. Your crystal ball is “in the shop” — and that’s okay.
Instead, focus on planning for the most likely situations. Direct your time and energy on providing your team with a solid starting point rather than predicting every outcome and path towards resolution. For example, set up a simple table with some likely meetings, such as “10 AM Sync Brief” or “11 AM Executive Update.” Keep the details general since it’s only a starting point and will certainly be modified to fit the circumstances at hand.
6. Use and Abuse your Knowledge Management System
To keep your IR plan lean, actionable and focused, only use links to documents such as policies and operations procedures rather than pasting the full document into it. Use your knowledge management system (SharePoint, Jive) to be your one source of truth for documentation. Otherwise, your incident response plan will look like someone overturned a Golden Corral buffet table onto the floor — a hot smelly mess.
Summary
Incident response planning is one of the most effective security investments you can make to protect your organization and prepare for the inevitable. Having an actionable incident response plan is also key to quickly mobilizing resources and getting back to a fully functional business state when an incident occurs. By testing the IR plan regularly, your team will be much better equipped to handle an incident. Moreover, developing a solid IR plan can foster team building and help you identify any gaps in your day-to-day operations.