How to Create an Incident Response Playbook

Processes are often overlooked when it comes to incident response budgeting. It is important to have funds to develop and maintain documented procedures for handling common situations.

For example, a university should have processes and procedures in place for communicating about incidents, including reporting data breaches and interacting with affected parties, sharing information about incidents with other universities, and coordinating with law enforcement agencies where appropriate.

Universities rely on playbooks to guide their responders in emergency situations. This ensures that incidents are handled correctly.

Most technologies that are useful for incident response are also useful in other ways that may not be specifically covered by the incident response budget. Examples of such technologies are:

• Continuous monitoring of networks and systems
• Centralized logging and log analysis with automatic reporting of suspicious activity
• Network security controls to automatically isolate infected or compromised devices
• Vulnerability management systems, including patch and configuration management
• Anti-malware and anti-phishing tools
• Helpdesk ticket systems that can also be used for incident tracking

There are some technologies specific to incident response that the budget should cover, including software, hardware, and removable media to perform forensics on individual devices. Special software may also be required for network forensic purposes.

LEARN MORE: How to lower higher cyber insurance premiums.

How should an Incident Response Playbook be maintained?

Incident response plans should be reviewed and updated regularly—at least annually—and reviewed whenever the university’s incident response policy is updated. The implementation of the plan should also be evaluated regularly to identify areas for improvement.

Assessments should include at least two components: an analysis of recent incident responses to identify issues and trends that may require the plan or implementation to be updated, and periodic exercise or testing of the plan in various incident scenarios. At the heart of maintaining these documents and processes is a skilled and competent cyber incident response team.

Drills and tests bring people, process, and technology together, and they can be incredibly valuable in identifying areas of weakness and providing hands-on training for responders and others involved in these activities.

Of course, the incident response policy, plan, and plan implementation should all be updated appropriately to reflect lessons learned from incident response analysis, drills, and testing. This is intended to ensure that future defensive measures run more smoothly, damage is reduced and normal university operations are restored more quickly.