An IR Plan You Will Actually Use

Concise, directive, specific, flexible, and free

Summary

Incident response planning is a cornerstone of information security programs, but too many plans end up on a shelf gathering dust until the next audit.

A stale, unused plan is almost worse than having no plan: it can lull the organization into a false sense of security, without any meaningful preparedness.

We can definitely do better, with plans that are more concise, directive, specific, flexible, and free. We’ve created a high-quality incident response plan template to get everyone started.

Introduction

Whether it’s a building fire, hurricane, or data breach, a crisis is not the time to reinvent the wheel. The greater the confusion and stress, the more important to get ahead of it, to codify our best selves in an effective plan we’ll actually use.

Incident response planning is a cornerstone of information security programs, but too many plans end up on a shelf gathering dust until the next audit. A stale, unused plan is almost worse than having no plan: it can lull the organization into a false sense of security, without any meaningful preparedness.

We can definitely do better, with plans that are more concise, directive, specific, flexible, and free.

Five Traits of a Highly Effective Plan

Concise

An effective IR plan is concise: it gets straight to the point and does not contain abstract theory or long-winded policy. Its outline should fit in your working memory, even under stress.

Focus only on content that helps your team investigate, contain, eradicate, recover, and learn from the incident. The goal is impact, not word count.

Brevity can coexist with clarity. Be explicit, and refer to other documentation when necessary.

“Everything should be made as simple as possible, but not simpler.”—Einstein

Directive

An effective IR plan is directive: it captures mandates (what you must do) and prohibitions (what you must not do), then gets out of the way when human judgment or improvisation is required.

Specific

An effective IR plan is specific: it is tailored to your mission, your people, your processes, and your technology. Start with a high-quality template, then pair it with details: which assets are critical, who has which role, what’s the communication strategy, what metrics/KPIs apply, what tools are in play, etc. It should also include sufficient detail for highly likely, or highly damaging threats.

The plan should reduce guess-work and pre-load decisions before chaos starts.

Flexible

An effective IR plan is flexible: it is a living document with an easy-to-update structure. Things change often–threats, capabilities, priorities, personnel–the plan needs to keep up. To stay flexible without becoming generic the best plans are modular and split up functionality using things like playbooks and methodologies.

Great plans target a variety of audiences and circumstances—to use a plan you need to have it in front of you. Consider a setup that lets you generate multiple formats from one source.

Free

An effective IR plan is free (like speech): it stands on the shoulders of giants, builds on best practices, and shares them in kind. No industry or community is immune from infosec threats, and effective response by each organization ensures our networks aren’t used as launch points for future attacks. Reducing cost and impact is in everyone’s interest—spend more on your mission and less on risk.

Certain specific aspects of each plan are sensitive and could be used by attackers, but the big ideas can and should be shared. Infosec herd immunity for the win.

An Incident Response Plan You Will Actually Use

We want to provide more than just advice, of course, we want to provide a real head-start. We built on some of the best available work, added a dash of our IR experience, and developed an incident response plan template we’d recommend to anyone.

We were inspired by NIST Computer Security Incident Handling Guide, SP 800-61r2, PagerDuty’s Incident Response Documentation, the CERT Société Générale’s Incident Response Methodologies, and many more resoures besides. The concepts are consistent with the material in popular IR books and taught in reputable IR training, but any errors are ours, and we welcome your contributions.

  • It’s concise, with a core only 14 well-whitespaced pages in stylish pdf, and just over 4000 words out of the gate (including instructions!)
  • It’s directive, almost exclusively in the imperative mood
  • It’s specific, or at least makes it easy to be specific with playbooks and roles and room for unlimited customization
  • It’s flexible, built out of markdown modules that can be updated independently and converted to html, pdf, etc., using pandoc or tools of your choice
  • It’s free, released under the Apache 2.0 license

Plan Cover

Conclusion

This is a template to easily create a high-impact plan you’ll actually use. Give it a try, let us know what you think, or just submit a pull request with improvements! And if you’d like some help with incident response planning, incident response itself, or anything else infosec, don’t hesitate to contact us.