Key elements of an effective incident response playbook

Organizations, regardless of their size, are being subjected to cyberattacks. With these attacks becoming increasingly sophisticated, it is imperative that organizations have an incident response playbook in place.

"An incident response playbook is critical to ensure that your response to a cybersecurity incident is in line with your company values," said Bryce Austin, cybersecurity expert and CEO at TCE Strategy.

But stopping at crafting the incident response plan isn't enough; it needs to be periodically tested, reviewed and updated, Austin mentions in his book, Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives.

Austin pointed to Equifax's breach response as an example: A website designed to provide breach victims instructions on what to do was permeated with vulnerabilities, a terms and conditions list prevented victims of the breach from suing the company, and, more recently, their CIO was indicted for insider trading, he said.

"A strong, tested incident response playbook would have prevented all of these huge missteps from taking place. It would have included a tested plan for a website presence large enough to handle the anticipated traffic, a terms and conditions list that was appropriate for the victims of a data breach, and a mandatory freeze on all stock sales by executives of the company."

In chapter 11, titled "What is my playbook if I have a cybersecurity incident?", Austin dives into explaining the perils of not having an incident response playbook, and why its development should get input from the CEO, CISO, chief legal counsel and other senior leaders to better respond to an incident. He also explains why the cybersecurity playbook should be owned by a nontechnical member of the executive team.

In the excerpt below, he lists the key tenets of an effective incident response playbook.

An incident response playbook needs several key elements to be effective. It must:

• Identify who in your organization has the authority to declare a cybersecurity incident. Who can initiate the playbook?
• Spell out how much money that person can authorize to be spent to have an incident investigated or remediated.
• Have a list of the types of scenarios that it is designed to cover. Examples include the loss of sensitive data, a ransomware attack, the loss of a critical system, natural disasters, law enforcement contacting your organization about a warrant or subpoena, and the loss of the use of one or more of your sites due to a natural disaster or because of other issues (such as a crime taking place in the building and the police barring your employees from entering the premises).
• Have a call tree that includes which people or groups to call when an incident takes place.
• Define the people or groups responsible for making the decision on when to bring in law enforcement.
• List the people authorized to speak to the media about a cybersecurity incident, and what those who are not authorized to speak to the media should say if they are approached by a reporter.
• List all of your critical systems, the location of the data in those critical systems, and the location of the backups of the data for those systems.
• Outline your general incident-response process. While every scenario is different, this process normally follows these steps: preparation, detection/analysis, containment, eradication, recovery, incident closure/root-cause analysis, and preventative measures.
• Be reviewed on a frequent basis. These plans get stale quickly, and need to be reviewed whenever a significant change in your organization takes place.

Reprinted with permission of the publisher. To read more about crafting an incident response playbook, download/read the full chapter.