Writing effective cyber incident response plans
How to assess and improve your cyber incident response plans
One of the biggest predictors of an organisation’s response to a cyber security incident is the quality of its cyber incident response plan. An effective plan can be a guide-rail for an experienced team, and a lifeline to the less experienced. This blog summarises some top tips for writing effective cyber incident response plans, to help ensure an effective response.
Before I begin, it’s worth noting that a “plan” often means one thing to one organisation (or even team), and a very different thing to another. Here, I’m referring to a document used by the IT Security or Cyber Security function that documents what to do (but not how to do it) in the event of a generic cyber security incident. This document might sit underneath a policy providing high-level compliance requirements, and will typically be supported by runbooks and knowledge articles providing more in-depth detail on specific tasks or scenarios.
When creating a cyber incident response plan the two (often opposing) objectives are completeness and usability — these are also the objectives I look to assess a good plan against. This article deals with each of the two in turn.
Completeness: What should an effective incident response plan contain?
A good cyber incident response plan must be complete: it tells the audience what they need to know, so they can fulfil the objective of the plan. With the overarching caveat that an incident response plan will vary from one organisation to another, the key components of an effective incident response plan that make it complete are:
Cyber incidents can mean different things to different people. A good cyber incident response plan will clearly define the scope of the plan: when should it be used, and by who? Is the plan used for all IT security incidents, for example, lost laptops? What about information security incidents, for example, lost papers? Is the plan written for the IT team or SOC, or is it broader than that? A scope statement makes this clear.
Organisations are usually drowning in paperwork and finding the right document can be a struggle. A good cyber incident response plan will provide a list of other relevant documentation, provide a link, and state why this is relevant. For example, the cyber incident response plan might align to the overarching IT incident or crisis response plans — this should be explained, referenced, and linked.
The response to an incident is usually a high-pressure situation with multiple conflicting demands on people’s time with a requirement for quick and effective decision making. However, incidents are varied and complex enough that not every decision can be pre-considered and an optimal choice documented.
A good cyber incident response plan will guide responders in prioritising their time and provide a framework for decision-making, by providing a set of overarching response principles. These response principles define what is important when responding to cyber incidents: is the priority IT service availability, protecting sensitive data, minimising operational disruption, or something else?
Command and control
A key question (that many organisations fail to answer) during cyber security incidents is “who’s in charge?”. A good cyber incident response plan will clearly define who exerts command and control in an incident, what their authority is, when they need to seek higher approval, and what mechanisms that command and control is exerted through.
This is often tied to the priority or severity level of the incident: a low priority incident may be controlled internally by the SOC, whereas a critical priority incident may be controlled by the Head of IT or CIO (or higher).
Role and responsibilities
Cyber incident response is fundamentally multi-disciplinary and requires input from teams across the organisation: IT, cyber security, legal counsel, PR, finance, and the executive. A good cyber incident response plan will clearly define those likely to be involved in the response to cyber incidents, and their responsibilities. This helps ensure clear accountability and responsibility, and avoids (or at least minimises) “turf wars”.
End-to-end response guidance
Cyber incident response can be long and complex, and there are a multitude of considerations at all stages, from preparation, to detection, analysis, response, and recovery. A good cyber incident response plan will provide clear guidance on the steps to be taken throughout the end-to-end response process.
This should also make clear what is mandatory, what is recommended, and what is optional — this can be achieved by using language such as “must”, “should”, and “may” as defined in RFC 2119.
Legal and regulatory considerations
Cyber security incidents involve increasingly complex legal and regulatory considerations; these vary depending on the nature of the organisation, the nature of the incident, and the nature of the impact.
While it shouldn’t go into detail, a good cyber incident response plan should introduce key legal and regulatory considerations and highlight when legal counsel should be involved.
For example, this might be by defining escalation triggers such as “if the confidentiality or integrity of any personal data is suspected to have be compromised, then the legal team should be immediately contacted for guidance”.
Usability: What does an effective incident response plan look like?
While a good cyber incident plan will be complete, it must also be usable. Many cyber incident response plans focus solely on completeness, and the end result is a document that will never be used.
- Is it clearly written? A good cyber incident response plan is easily understood by readers, both in advance of and during an incident. It should have clear and simple writing, accompanied by graphics where needed, to enable this understanding.
- Is it well-formatted? As above, a good cyber incident response plan is easily understood. Clear content goes some of the way to achieving this, but clear and effective formatting can enhance, or detract from, clear writing. Ensure that the text is of a readable font/size and split into short paragraphs, highlight key content (for example, using bold emphasis or call-out boxes), and use lists for added clarity.
- Is it well structured and signposted? It’s unlikely that anyone will sit down and read the document end-to-end in the event of an incident, so a good cyber incident response plan should make it easy to find key content. It should have a clear structure with key content signposted; this can be as simple as logical headings and a table of contents, and can be supplemented with a “quick reference” on the front cover with page references to key content useful for live incidents.
- Is it an appropriate length? It’s no use having a 900-page plan documenting every single eventuality and consideration in detail. Similarly, one page probably isn’t enough. A good cyber incident plan should be of a length that provides appropriate detail to enable usability. It should make use of appendices (for example, for additional information on specific areas, templates, and contact lists) and other “child” documents.