Execution from the Plan

LEO’s incident response framework is built upon four pillars: Procedures, Rules, Communication Protocols, and Software.

In fashioning a written incident response plan, care should be taken to tailor it for use during an actual incident. Long, unwieldy plans beget confusion and, ultimately, lack of adoption by the incident response team members. LEO’s incident response framework is different, breaking down the plan into a network of targeted Procedures, Rules, and Communication Protocols to facilitate seamless collaboration between incident response disciplines.

For many companies, an incident response plan satisfies a compliance requirement. But the underlying purpose of a plan is to guide a team through the response to an incident. In surveying the sufficiency of a plan, the first question management should ask is “can we effectively execute from this plan?” Can a team member, trained or untrained, come into a situation and, armed with only the plan, be able to meet his/her obligations, on time and without mistake, in the face of a serious incident?

LEO recognizes the gravity of that question. It was likely the same challenge facing our nation’s space pioneers back in the late fifties. NASA knew that the young engineers in Mission Control did not have time to fumble through a 50 page document looking for the correct action. For this reason, NASA took a different path in the formulation of its response framework. And so has LEO with incident response.


To LEO’s IR experts, basic checklists are a step in the right direction, but they lack a number of core fundamentals. Procedures, by contrast, are compartmentalized, targeted, time-dependent, interrelated action lists. Let’s break down each of those for better understanding.


No single document can effectively contain all of the policies and actions for the entire incident response team. As a company’s operations become more complex, so too does the response to a cyber incident. LEO’s incident response framework breaks out action lists by focus and by discipline, thereby advancing a number of team goals:

1) Enumerate and clarify, step by step, the task(s) at hand
2) Separate steps into a manageable document by overarching goal
3) Identify the responsible party or parties
4) Install decision hold points
5) Provide reporting reminders

Collation of actionable steps into a separate procedure document streamlines the response and provides a veritable comfort blanket for team members facing stressful situations.


Incident response plans taking the form of policy documents are well suited for consumption by the general population of employees, but incident response team members may experience difficulty in executing from a policy document. First, the policy document and even the sections therein are not tailored for the specific discipline. Second, conventional incident response plans are generally maintained by the Information Security or Information Technology team, alienating the other disciplines. Breaking out procedures from the overarching policy document puts the execution guides in the hands of those who will be responsible for taking action during an incident. LEO’s incident response framework builds individual procedure sets for each discipline, which provides for a number of benefits to the team:

1) Collates all actionable steps into one set of documents for a specific discipline
2) Allows a discipline to own and update its action lists
3) Reduces workload on the IS/IT discipline because it does not have to update the plan as often
4) Orchestrates a timely refresher of discipline duties in the face of an incident

By building unique procedures for each discipline, team members are more apt to take ownership of their own action lists, which results in better mastery of discipline duties during an incident. It also promotes a faster update cycle, as well as facilitates more efficient training.


With breach laws setting notification time limits (often 30 days but, for certain industries, as short as two business days), incident response teams must be prepared to react in a time-sensitive manner. General incident response policy documents lack the fidelity to streamline the response. Even checklists fail to give the team member insight into whether one action must occur before another. LEO’s incident response framework advocates step-by-step procedures, which have a number of advantages:

1) Offers actionable guidance to the team members
2) Anticipates subsequent actions, allowing a team member to prepare
3) Identifies as-needed reference materials for quick look up


Efficient coordination requires more than just vocal communication. A good incident response plan features interrelated procedures, such that each team member can intuit the actions of the others. LEO’s incident response framework goes one step further by cross-referencing steps between individual procedures, thereby allowing disciplines to better structure interdisciplinary actions.

1) Provide a cross-reference to procedures and steps of other responsible disciplines
2) Provide a cross-reference to rules and other relevant documents
3) Serve as a training guide for specific departmental team members


Most conventional incident response plans include certain directives meant to promote behavior, curb practices, or prevent mistakes. Oftentimes, however, these directives are lost within a lengthy document and are missed or forgotten right at the time they are needed, namely during an incident. LEO’s incident response framework pulls these directives out of the overarching policy document in favor of a self-contained rules book. Doing so furthers a number of incident response best practices:

1) Serves as a central repository of applicable directives
2) Categorizes directives based on discipline, company goals/strategies, or time-sensitive actions
3) Provides a system for team members to easily reference and communicate directives
4) Offers rationale for each directive
5) Memorializes authoritative body for directive
6) Identifies responsible discipline for independent rules
7) Facilitates a more efficient and timely update process

Individualized incident response rules better convey executive guidance to team members, and provide a way for the incident response team to communicate these directives among themselves, and to build upon them in procedures and through communication protocols. During an incident, the highlight of a rule number instantly draws the team’s attention to a particular directive, allowing for the communication of a great deal of information with very little time spent in its conveyance.