How to create an effective incident response plan
“In my experience, the key to effective recovery is treating your incident response plans as living, mental playbooks rather than static documents, and regularly stress testing your assumptions,” General Bank of Canada’s Ennamli says. “The pivot is moving beyond theoretical planning to practical, tested steps that have been proven to work under pressure.”
Following any security incident, enterprise IR and BC teams need to conduct reviews to see how well plans were executed and where improvements can be made.
“Recovery from an incident [and] exercises of the incident response program must be followed by a disciplined lessons-learned effort,” Protiviti’s Taylor says. “These are commonly referred to as after-action reviews [AARs], post-incident reviews [PIRs], hotwashes, or debriefs. Regardless of label, a disciplined and documented approach of managing both positives and [negatives] post-incident is paramount to continuous improvement.
Stress simplicity and modularity wherever possible
Although the threat landscape is complex, IR and BC strategies don’t need to be. Sometimes, simpler is better.
“We typically see organizations craft numerous, hundred-page binders for their emergency plans, one for incident response, another for business continuity, another for disaster recovery, etc.,” Wawa’s Kates says. “Most of these plans have significant overlap and are just copied templates they have found online.”
Instead of creating separate, cumbersome plans for each type of incident, Kates has adopted a modular, “playbook” approach.
“You can develop a few hazard-specific playbooks — ransomware, power outage, severe weather — that can plug and play common functions of incident response [such as] communication, situation assessment, business process workarounds.” Kates says.
This approach allows teams to activate and combine relevant plays based on an incident’s nature, creating a more useful plan, Kates says.
“I’ve found it’s also far simpler than maintaining multiple large plans, ensuring information remains current,” he says. “Playbooks include checklists and decision trees to guide responders through complex procedures, reducing cognitive overload during a crisis.”
See also:
