Best Practice Series: Response Plans

Responding quickly, calmly, and effectively to a security incident isn’t always easy. Emotions run high, and time is of the essence, having a detailed, well-thought-out response plan is so important. Planning your organization’s response, assigning tasks, and making sure everyone on your team is prepared can streamline the process, increase the likelihood of a successful outcome, and give everybody peace of mind.

In today’s installment of Armor’s cybersecurity best practices blog series, we’re diving into cybersecurity incident response (IR) plans and why they’re crucial to your organization.

The importance of an incident response plan

IR plans protect your organization from threats by codifying the policies, plans, and procedures associated with every aspect of emergency response. Simply by creating and maintaining a cybersecurity response plan significantly increases your organization’s security, because your team will know their roles and be prepared for multiple possibilities.

In the National Institute of Standards and Technology’s (NIST) “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities,” it identifies 2 types of IT response plans, both vitally important to any organization:

  • Contingency plans: How will you recover and reconstitute IT systems in the event of a cyberincident? Contingency plans give you a roadmap for ensuring continual operations and business activities, as well as a strategy for disaster recovery.
  • Incident response plans: These plans detail how you’ll report and manage data security incidents

Just like there’s no one solution to cybersecurity, there’s no one response plan that fits every organization and issue. Make sure your company’s IT response plan works for your business. It should be customized to meet the needs of your organization and your team—and be reviewed and updated regularly to ensure it still makes sense as compliance requirements change, and your environment evolves.

Although most comprehensive IR plans include some basic common elements, they aren’t “ready-to-wear” and require customization. The content and format of your plan should be designed to optimize usability and value for its intended audience. If you have multiple teams within your company preparing an IT plan, make sure they have guidance from your organization to ensure uniformity and completeness.

Cybersecurity Best Practice Tips for Incident Response Plans

Create your plan

Senior leadership, IT experts, emergency response personnel, and anyone else who will be needed in an incident should be involved in creating your plan, since they will all have a stake in its success. It’s also wise to include representatives from legal, public affairs, customer service, risk, compliance, human resources, and physical security in the planning process, as all departments will have a hand in responding to an incident.

Cover basic elements

NIST recommends IR plans include 3 basic documents:

  • Policy: This document defines governance for IR. It generally includes scope, definitions of terms, and descriptions of roles and responsibilities in IR. It may also include descriptions of priority and severity ratings, performance measures, and reporting formats.
  • Plan: Here, the organization describes how it will respond in detail, laying out roles and responsibilities, and mechanisms for intra-organizational cooperation. It may also include a maturity/improvement process and tactical metrics for assessing IR capability and effectiveness.
  • Procedures: This part of the plan lays out standard operating procedures (SOPs) or playbooks—sometimes also called runbooks. It provides team members with a list of actions to take in sequential order—often in the form of checklists or battle drills. Procedures keep employees aware of organizational best practices for various types of IR, and they can be helpful for training new personnel and reeducating existing staff. Always keep the current version of these procedures available—and ensure they are accessible to employees, including when the power goes out or network connectivity fails.

Reinforce your plan

Organizations can increase the preparedness of their IR plan through regular testing, training, and exercises.

Tests employ quantitative metrics to validate IT systems or procedural systems listed in IT response plans. Tests of IT response plans usually result in some type of grade or score. Not all elements of IT response plans can be realistically tested, but everything that can be tested should be. NIST cites the example of testing response plan telephonic call trees to measure the time for their full execution against a pre-established metric. Tests are normally conducted after both training and exercises.

Regular training ensures all organizational personnel know their roles and responsibilities during an IT incident response. It also helps equip them with the knowledge, skills, and abilities required to fulfill those roles and responsibilities. Ideally, training should precede exercises, tests, and actual emergency implementation of IT response plans to ensure everyone is ready to go.

Simulation exercises provide your team with hands-on experience in managing a cybersecurity incident. Stage them regularly, to keep employees’ knowledge fresh, or after significant changes to your IT response plan. By holding exercises immediately after training, you can reinforce theoretical knowledge with practical experience.

The DHS Homeland Security Exercise and Evaluation Program (HSEEP) manual is the industry standard for implementing the exercise lifecycle of design and development, conduct, evaluation, and improvement planning. The most important phases of the exercise lifecycle are arguably the evaluation and improvement planning phases as these should lead directly to tangible enhancements in emergency response readiness. Unlike tests, exercises are generally not scored. The evaluation phase of exercises should focus on identifying strong and weak points in your plan, as well as lessons learned, and not upon the performance of the exercise participants. To encourage optimal participation, exercises should be clearly distinguished from audits and other forms of assessment within an organization.

A critical part of your cybersecurity planning

A well-designed IT response plan can significantly enhance your organization’s readiness and resiliency, providing you with protection in the event of a cybersecurity incident. By creating a plan and regularly updating it, you demonstrate a level of due diligence that can reassure board members, regulatory agencies, and other stakeholders. A sound plan demonstrates that you are taking an active role in protecting customers, partners, and employees from the risk of cyberthreats.

Still, no IT response plan can work unless your people know about it. Educating your team about your plan, making sure they know the basics of it, and ensuring they know where to find it in an emergency is important. Everyone—from C-executives to junior staff—needs to be aware of the plan. However, not everyone should have direct and complete access to it, since these documents often contain confidential and proprietary information.

No one expects a cybersecurity incident, but every organization has at least some level of risk. Planning can’t always prevent incidents, but it can make handling one much easier—and provide peace of mind to your organization, employees, customers, and everyone else who depends on your cybersecurity.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals