Cyber incident response playbook guidance

This playbook guidance provides organisations with five high-level practical tips in preparing for a cyber incident and developing a response plan that enables staff to take immediate action.

What is a playbook?

A playbook is a detailed cyber incident response plan, which should focus on specific incident types such as phishing emails; ransomware; and website distributed denial of service attack, etc. Based on the top 3-5 high-risk incidents to an organisation, a playbook should specify who to contact, how to triage an incident; provide guidance on reducing impact; and steps on retaining evidence or data if required.

1. Identify your top 3-5 most likely incidents

Start by identifying the top 3-5 most likely and high-risk incident types to your organisation. For example, if you are reliant on your website for customer orders and payments, a distributed denial of service attack could take your website offline for a number of hours potentially impacting customer sales orders.

2. List who to contact

Clarify who the key cyber incident response contacts are including; technical teams; external suppliers; senior management; legal, HR, and communications, etc. Ensure roles and responsibilities are documented and understood. Ensure your technology teams are clear on how to triage the incident. Clearly identify which individuals have the authority to take critical response actions. Document how to contact team members 24/7, designate an alternate for key roles, and outline a rhythm for how and when the team will convene and deliver updates.

3. Understand the systems and environment

Document where network, applications and systems diagrams, logs, and inventories are kept and maintained. Document access credentials and procedures for removing access or providing temporary access to key members of the incident response team.

4. Document the response procedures

Document response procedures for investigation and documentation, incident containment actions for various types of attacks, and procedures for cleaning and restoring systems. Procedures should be carefully followed to prevent the expansion of an event, mitigate its effects, and resolve the incident. Preservation of evidence and recording of actions taken may require engagement with Legal and law enforcement if there is a decision to undertake legal proceedings.

5. Develop strategic communication procedures for cyber incidents

Identify what information to communicate to key stakeholders and when, and what type of cyber incidents warrant internal communication with employees and public communication with customers, regulators, insurance providers and the media. Develop key messages and incident notification templates in advance.

Treat your incident response plan like your fire drills, run scenarios to test that the plan, roles and key players in the organisation are clear on the steps to take in the event of a cyber-attack.

Got a question? Just get in touch

Join our mailing list

We have insights into developments that affect your business. We can provide you with unique perspectives and thoughtful solutions so you can meet new challenges and seize opportunities.

Subscribe here

Risk consulting news