Essential Components of a Cyber Incident Response Plan Template
Date: 22 May 2020
We have created an optimised cyber incident response plan template for you to download along with some guidance on how to fill it in and how to make it personal to your organisation.
As specialists in cyber incident response and information security crisis management and creators of the leading Cyber Incident Planning & Response training certified by the UK-Government's NCSC, the advice in this blog is from the years of experience in training, providing consultancy and mastery in cyber incident management.
Read this before downloading our cyber incident response plan template doc
To condense all the years' experience in a few sentences - Most cyber incident response plans and cyber incident response plan templates are simply UNFIT for purpose. The response procedures hardly ever prepare the organisation for a cyber security incident, data breach or ransomware attack that's likely to happen to them. That's usually because many templates are:
- Not Specific: Many, if not the majority of IT incident response plan templates are not written for any specific organisation or sector. They are chock-full of unnecessary and pointless jargon and images of boxes and circles to impress security teams with their comprehensiveness.
They don't address your organisation-specific systems, processes and procedures. They usually don't talk about the incident response team’s and executive team’s roles and responsibilities for when a security breach or incident occurs.
- Complex: From our client reviews and experience we can safely say that most cyber incident response plans are too lengthy and complex and too much attention is given to acronyms, appendixes and other useless artefacts.
Complex processes and procedures are baked into the plan or the cyber incident response template and little attention is actually given to the cyber-attack scenarios that will impact the business. (We cover scenarios and how to create scenarios in our UK Government NCSC-Certified Cyber Incident Planning & Response training).
- Ineffective: Following on from the observations above, we propose that many cyber incident response plans and/or cyber incident response plan templates are ineffective and unfit-for-purpose.
These documents are of little or no use when you are in the crosshairs of a cyber criminal and under fire from multiple sides. Trust us, a 100-page document with numbered images, labelled tables and complex looking-to-impress process workflows are practically useless when you are in the eye of the storm.
Simplify your Cyber Incident Response Plans
So what is the solution if most response plans and security incident response templates are inadequate? Put simply, follow the KIS principle (we avoid saying KISS for obvious reasons!)
“Any darn fool can make something complex; it takes a genius to make something simple.” ― Pete Seeger
At Cyber Management Alliance Ltd, we pride ourselves in making the complex topic of cybersecurity simple.
When it comes to cyber incident management, we work with our clients on multiple fronts including offering trusted cybersecurity consultancy and helping them produce a series of documents on cyber resiliency strategies, cyber crisis plans and cyber incident response plans.
So, keep it simple. Here are some things we keep in mind when creating plans for cyber incident response. We suggest you do the same.
- Scenarios: First and foremost, focus on the scenario(s) that will cause the biggest impact to your business. We cover this in our Cyber Incident Planning & Response and Building & Optimising Incident Response Playbooks training and workshops.
- Ditch the length: Your cybersecurity incident response plan does not have to be 50 or 100 pages in length. Please repeat this sentence again and again. Repetition is key to education. A 5-page plan could be sufficient.
- The Wrong Moniker: We will be upfront with you. The word plan is, in our opinion, the wrong word. Words are important otherwise humans wouldn’t need to speak verbally. Plan is the wrong word.
Playbooks: Instead of creating one single cyber incident response plan, we prefer to create incident response playbooks. Before you do that, work on creating organisation-specific scenarios.
You can also check out our specific Ransomware Checklist and Ransomware Response Checklist. While the former help you prepare for a ransomware attack, the latter is a quick reference guide on what to do once you've been attacked.
- Processes and procedures: This is where it gets interesting. We must make it clear that we are not advocating that you don't create any documents.
To the contrary, in fact, we insist that you must focus on having a solid set of processes and procedures for activities including but not limited to (1) backing up and restoring critical systems (2) rebuilding critical servers and (3) completely rebuilding your active directory (also known as the heart of the digital business).
We have created this visual Ransomware Response Workflow , for example, that will give you a good idea of how exactly we think a response plan should be - crisp and to-the-point.
Last, but Not Least - Food
Don't forget to include (in the document) key contact details for Pizza and other takeaway food. In quarantine situations (like COVID19) consider pre-authorising purchase of food up to a certain daily limit per individual member of staff. This is important to keep those dealing with an attack going and working the endless hours required to contain and eradicate