Why Your Incident Response Plan Needs Rules
By Seth Jaffe.
Over the holidays, we dusted off some board games for a little family fun. One of the things that struck me was the frequency with which players consulted the game rules. The more complicated the game, of course, the more folks scoured the rule guide. This got me thinking about incident response, which by its very nature is remarkably complex. So why, then, don’t incident response plans highlight the rules?
Just like I advocated for with procedures, rules should be broken out from the overarching incident response policy document. NASA implemented this to great success, with flight controllers keeping flight rules at the ready in Mission Control.
The concept is fairly straightforward—memorialize relevant decisions in a self-contained booklet, numbered for reference, with easy to understand rationale. But let’s back up a second. In the scope of incident response, what is a rule? Anytime an operating decision is made by an authority, such as the incident response steering committee, it is likely to become a rule in the IR Plan. Consider the following excerpt from a rule on partnering with law enforcement:
1.10(d) – NO COMPANY HARDWARE WILL BE TAKEN INTO CUSTODY BY LAW ENFORCEMENT UNTIL INFOSEC IS CONSULTED AND AN IMAGE OF THE DEVICE IS MADE
Loss of access of a COMPANY device may impede internal forensic investigation. Therefore, an image of any device should be made prior to loss of access. Consult legal counsel before arranging transfer of any such hardware or devices. [XXXXXX-XXXX reference states where it came from and when it was last updated]
The rule is clearly stated in block letters, followed by a rationale in italics, and then rounded out with a reference marker that tells the reader when and where it was created and by whom.
By clarifying these types of decisions in a self-contained document, incident response team members are able to quickly reference relevant directives, determine from where they came, to what they are applicable, and are able to easily convey this information to other disciplines.