Essential Components of a Cyber Incident Response Plan Template
Date: 22 May 2020
A cyber incident response plan is a straightforward document that helps you effectively and efficiently respond to and manage cybersecurity incidents.
It outlines the incident response process to be followed in the event of a cybersecurity event, such as a data breach, malware attack, or network intrusion. The main objective of a cyber incident response plan is to pre-define the incident handling steps to be taken in an attack situation.
This greatly helps in managing chaos, minimising the impact of the incident, mitigating potential damage, and restoring critical operations as quickly as possible.
We have created an optimised cyber incident response plan template for you to download along with some guidance on how to fill it in and how to make it personal to your organisation.
Before you download our security incident response plan template, please take a moment and read our guidance on the components of an effective cyber response plan.
As specialists in cyber incident response and information security crisis management and creators of the leading NCSC Assured Training in Cyber Incident Planning & Response, the advice in this blog is from years of experience in training, providing consultancy and mastery in effective incident management.
Read this before downloading our Cyber Incident Response Plan Template
To condense all the years' experience in a few sentences - Most cyber incident response plans and cyber incident response plan templates are simply UNFIT for purpose. The response procedures hardly ever prepare the organisation for a cyber security incident, data breach or ransomware attack that's likely to happen to them. That's usually because many templates are:
- Not Specific: Many, if not the majority of IT incident response plan templates are not written for any specific organisation or sector. They are chock-full of unnecessary and pointless jargon and images of boxes and circles to impress security teams with their comprehensiveness.
They don't address your organisation-specific systems, processes and procedures. They usually don't talk about the incident response team’s and executive team’s roles and responsibilities for when a security breach or incident occurs.
- Complex: From our client reviews and experience we can safely say that most cyber incident response plans are too lengthy and complex and too much attention is given to acronyms, appendixes and other useless artefacts.
Complex processes and procedures are baked into the plan or the cyber incident response template and little attention is actually given to the cyber-attack scenarios that will impact the business. (We cover scenarios and how to create scenarios in our UK Government's NCSC Assured Training in Cyber Incident Planning & Response).
- Ineffective: Following on from the observations above, we propose that many cyber incident response plans and/or cyber incident response plan templates are ineffective and unfit-for-purpose. They rarely help you achieve the kind of long term business continuity you would aspire to.
These documents are of little or no use when you are in the crosshairs of a cyber criminal and under fire from multiple sides. Trust us, a 100-page document with numbered images, labelled tables and complex looking-to-impress process workflows are practically useless when you are in the eye of the storm.
Simplify your Cyber Incident Response Plans
So what is the solution if most response plans and security incident response templates are inadequate? Put simply, follow the KIS principle (we avoid saying KISS for obvious reasons!)
“Any darn fool can make something complex; it takes a genius to make something simple.” ― Pete Seeger
At Cyber Management Alliance Ltd, we pride ourselves in making the complex topic of cybersecurity simple.
When it comes to cyber incident management, we work with our clients on multiple fronts including offering trusted cybersecurity consultancy and helping them produce a series of documents on cyber resiliency strategies, cyber crisis plans and cyber incident response plans.
So, keep it simple. Here are some things we keep in mind when creating plans for cyber incident response. We suggest you do the same.
- Scenarios: First and foremost, focus on the scenario(s) or type of incident that will cause the biggest impact to your business. We cover this in our Cyber Incident Planning & Response and Building & Optimising Incident Response Playbooks training and workshops.
- Ditch the length: Your cybersecurity incident response plan does not have to be 50 or 100 pages in length. It should tell you how to respond to an incident, and that’s it. Please repeat this sentence again and again. Repetition is key to education. A 5-page plan could be sufficient.
- The Wrong Moniker: We will be upfront with you. The word plan is, in our opinion, the wrong word. Words are important otherwise humans wouldn’t need to speak verbally. Plan is the wrong word.
Playbooks: Instead of creating one single cyber incident response plan, we prefer to create incident response playbooks. Before you do that, work on creating organisation-specific scenarios.
You can also check out our specific Ransomware Checklist and Ransomware Response Checklist. While the former helps you prepare for a ransomware attack, the latter is a quick reference guide on what to do once you've been attacked.
- Processes and procedures: This is where it gets interesting. We must make it clear that we are not advocating that you don't create any documents.
To the contrary, in fact, we insist that you must focus on having a solid set of processes and procedures for activities including but not limited to (1) backing up and restoring critical systems (2) rebuilding critical servers and (3) completely rebuilding your active directory (also known as the heart of the digital business).
We have created this visual Ransomware Response Workflow , for example, that will give you a good idea of how exactly we think a response plan should be - crisp and to-the-point.
Last, but Not Least - Food
Don't forget to include (in the document) key contact details for Pizza and other takeaway food. In quarantine situations (like COVID19) consider pre-authorising purchase of food up to a certain daily limit per individual member of staff. This is important to keep those dealing with an attack going and working the endless hours required to contain and eradicate an attack situation.
If you still feel unsure of your internal capability to work with an Incident Response Plan template and customise it, feel free to reach out to our Virtual Cyber Assistants.
In the most cost-effective way possible, our remote cybersecurity experts will help you create and/or review and refresh your cyber incident response plans and cybersecurity policy documents.
They can also assist you in assessing your existing cybersecurity posture with the right audits and assessments. You can then work on the existing gaps in your technology infrastructure and your overall cyber attack or breach readiness.