Why Your Incident Response Plan Needs Procedures
By Seth Jaffe.
When I’m boarding an aircraft, I always glance in the cockpit to see the dials, switches, and flight crew. The captain and first officer do not have time to say hello, however, because they are running through their pre-flight checklists. It is something they do up to five times per day for roughly 200-260 days per year. Certainly, by now, they have everything memorized, so why, then, do they continue to run the checklists?
Because airlines and the FAA recognize that without the checklists, accidents are more likely. Consider, for example, the loss of Gulfstream IV, which overran the end of a runway. The NTSB concluded that the cause was the flight crewmembers’ failure to perform the flight control check before takeoff, and in doing so, they left the gust lock system engaged. Preventable, with the checklist.
Now consider any given incident response team. Not only do they not handle incidents five times a day for the majority of the year, for most team members, incident response is a secondary or tertiary role. So how can we expect them to properly respond to an incident without any checklists?
I’ve written previously about the importance of making your incident response plan “executable.” The first step is to collate the actions into a concise document that each discipline can execute. Checklists are a good start, though I prefer procedures, which themselves incorporate time (numbered steps).
The benefits of procedures are numerous. Ideally, they are numbered, so that team members can easily reference a given procedure, and each step can reference ancillary documents, such as rules, repositories, or even other procedures. Furthermore, each discipline has its own book of procedures, which it maintains. This ensures the procedures are controlled by the applicable authority, and it also reduces the workload of the group in charge of the overarching plan (usually the infosec group). Procedures make great training documents as well.
If you have ever had a deer-in-the-headlights moment (and we all have), then you will appreciate the last benefit I will mention in this post, that of a veritable security blanket. Even if you don’t know what to do when staring down the barrel of an incident, take a deep breath, recognize that you have a procedure for this, find it, and start at step one.
Seth is our official rocket scientist in residence. Hailing from NASA’s Mission Control Center, Seth brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to twenty-plus years’ of technical experience, Seth was previously a member of the data protection task force at a large law firm, and served as the lead Legal team member of an incident response team at a major U.S. airline. Seth is a certified business continuity professional, and he holds a juris doctorate, which is why he also wears the General Counsel hat at LEO.