Whether it’s a building fire, hurricane, or data breach, a crisis is not the time to reinvent the wheel. The greater the confusion and stress, the more important it is to get ahead of it, to codify our best selves in an effective plan we’ll actually use.
Incident response planning is a cornerstone of information security programs, but too many plans end up on a shelf gathering dust until the next audit. A stale, unused plan is almost worse than having no plan: it can lull the organization into a false sense of security, without any meaningful preparedness.
We can definitely do better, with plans that are more concise, directive, specific, flexible, and free.
Five Traits of a Highly Effective Plan
An effective IR plan is concise: it gets straight to the point and does not contain abstract theory or long-winded policy. Its outline should fit in your working memory, even under stress.
Focus only on content that helps your team investigate, contain, eradicate, recover, and learn from the incident. The goal is impact, not word count.
Brevity can coexist with clarity. Be explicit, and refer to other documentation when necessary.
“Everything should be made as simple as possible, but not simpler."—Einstein
An effective IR plan is directive: it captures mandates (what you must do) and prohibitions (what you must not do), then gets out of the way when human judgment or improvisation is required.
An effective IR plan is specific: it is tailored to your mission, your people, your processes, and your technology. Start with a high-quality template, then pair it with details: which assets are critical, who has which role, what’s the communication strategy, what metrics/KPIs apply, what tools are in play, etc. It should also include sufficient detail for highly likely, or highly damaging threats.
The plan should reduce guess-work and pre-load decisions before chaos starts.
An effective IR plan is flexible: it is a living document with an easy-to-update structure. Things change often–threats, capabilities, priorities, personnel–the plan needs to keep up. To stay flexible without becoming generic the best plans are modular and split up functionality using things like playbooks and methodologies.
Great plans target a variety of audiences and circumstances—to use a plan you need to have it in front of you. Consider a setup that lets you generate multiple formats from one source.
An effective IR plan is free (like speech): it stands on the shoulders of giants, builds on best practices, and shares them in kind. No industry or community is immune from infosec threats, and effective response by each organization ensures our networks aren’t used as launch points for future attacks. Reducing cost and impact is in everyone’s interest—spend more on your mission and less on risk.
Certain specific aspects of each plan are sensitive and could be used by attackers, but the big ideas can and should be shared. Infosec herd immunity for the win.
An Incident Response Plan You Will Actually Use
We want to provide more than just advice, of course, we want to provide a real head-start. We built on some of the best available work, added a dash of our IR experience, and developed an incident response plan template we’d recommend to anyone.
This is a template to easily create a high-impact plan you’ll actually use. Give it a try, let us know what you think, or just submit a pull request with improvements! And if you’d like some help with incident response planning, incident response itself, or anything else infosec, don’t hesitate to contact us.