How to Create a Cyber Security Incident Response Plan

The best cyber security incident is no cyber security incident at all. However, the chances of suffering a cyber security incident are high, so it’s important to have a cyber security incident response plan in place for an effective recovery. 

Dealing with a cyber security incident is stressful, and when people are stressed they don’t tend to make the best decisions. Even experienced IT pros may find themselves being driven by emotion rather than rational thinking when faced with a cyber security incident. Conversely, cyber security incident response plans are created when things are relatively calm, thereby allowing IT pros to carefully consider their course of action. Having a well-documented cyber security incident response plan to follow in times of crisis can help to ensure that the IT staff makes the right decisions when they matter most.

The first step in formulating a cyber security  incident response plan is to meet with all of the key stakeholders in your organization. This helps to ensure that the resulting plan addresses everyone’s needs. Indeed, you will likely find that business stakeholders’ perspectives and priorities are very different than those of the IT staff. Taking into account all of this insight will enable the formulation of a plan that is based on operational requirements, as well as legal, regulatory and other obligations.

Involving key stakeholders in your plans can also help to give the IT staff a bit of cover in the event that a cyber security incident does occur. After all, the steps that the IT team will follow when resolving the incident are documented in a plan that the stakeholders were actively involved in creating, and have signed off on.

Once the IT team has committed to creating a cyber security incident response plan, it can sometimes be difficult to figure out where to start.

One of the best options for getting started is to download an incident response plan template. There are many templates available, including a comprehensive document from NIST. Such a template can make it easier to get started with creating a cyber security incident response plan, but it’s likely that the template will not fully meet your specific organization’s needs. Use the portions of the template that make sense, and then add or remove sections based on the organization’s unique requirements.

Another thing to keep in mind as you formulate a cyber security incident response plan is that it may be better to create a collection of smaller plans geared toward various types of incidents, rather than trying to create one monolithic document. For example, you might create one plan for dealing with a ransomware attack and another plan for dealing with an insider security breach.

Creating a dossier of smaller incident response documents accomplishes two things.

First, it helps make the task of creating the plan feel a little less overwhelming. Second, creating a separate document for each type of incident increases the likelihood that the plan for each type of incident will be comprehensive. I have seen real-world examples of cyber security incident response plans that include extensive documentation for some types of incidents, but barely mention other incident types. Granted, not every type of cyber security incident warrants its own plan, it’s important to specifically plan for incident types that are the most threatening, potentially damaging and/or the most likely to hit your organization.

Second, having a separate plan for separate types of cyber security incidents--rather than a monolithic document for all incident types--will make it faster and more efficient to deal with the incident. With that said, even these individual documents can become quite lengthy. As such, it’s a good idea to create a checklist for each type of security incident. The checklist can act as a document summary, providing the IT staff with a high-level overview of the steps that need to be performed in the recovery process. You might even consider augmenting the checklist with page numbers so that the IT team knows exactly where to look to find more detailed information on each checklist item.

One of the most important things to remember when creating a cyber security incident response plan is that the plan is never complete. Your organization, technology and the threat landscape will all evolve over time. Ransomware that exists today, for example, barely resembles the ransomware from 10 years ago. A cyber security incident response plan is useful only if it is kept up to date, so you also need a plan for periodically reviewing and revising your security incident response plan.

Finally, as you work to create a cyber security incident response plan--or a collection of security response plans--it’s a good idea to draw on the experience of others. Using one of the affirmation templates is a great starting point, but I also recommend referring to the SANS Institute’s Incident Handler’s Handbook as you develop your plans. The Incident Handler’s Handbook is an older document, but it contains a wealth of information that will surely prove invaluable as you formulate your organization’s cyber security incident response plan documents.