Response plans that clearly delineate:

• Roles and responsibilities (described in Section 4.3), with key details such as:

  • Who coordinates the response and is empowered to make decisions?

  • Who can make financial decisions in a crisis (such as whether to purchase new equipment/software, pay a ransom, etc.)?

  • Who will decide which evidence to preserve, and which not to preserve?

  • Who drafts and approves internal and external communications, such as statements to the media, key stakeholders, regulators, and more? (Typically, public relations and your breach coach should be involved, at a minimum.)

  • Who is responsible for notifying responders and stakeholders, from outside IT consultants to the board of directors? (You may want to establish a phone tree.)

  • Backup assignments for each task (in case a person is out or there is a need for schedule rotation).

• Triage guidelines for first responders, such as:

  • Triage framework (Section 4.4.2)

  • Diagnostic questions for assessing the current state (Section 4.4.3)

  • Recovery objectives (Section 4.4.4)

• Defined incident management and escalation processes

• Documentation processes for responders

• Notification obligations, including requirements for contacting insurers, regulators, government agencies, and other parties

Crisis communications plans that address:

• Response team communications (Section 4.7.1)

• Affected parties (Section 4.7.2)

• Public relations (Section 4.7.3)

Specific procedures for tasks such as:

• Evidence collection, including clear, specific steps for gathering and preserving evidence

• Backing up various device configurations, and rolling back changes if needed

• Restoration of data and systems (It’s important to test this in advance and keep it up to date!)

• Conducting an investigation, including adversary research, scoping, and breach investigation

Contact information for the response team, leadership, and third parties:

Internal staff

• IT

• Legal

• Cybersecurity

• Finance

• Executive team

• Public relations

• Board of directors contact

External parties

• Managed services providers (MSPs) and technology vendors

• Cyber insurance claims hotline/form

• Breach coach/cyber attorney

• Incident response/forensics firm

• Ransom negotiator

• Bank

• Public relations firm

• Law enforcement (FBI, Secret Service, police department)

• Regulators

Make sure to include after-hours contact information in case it is needed and keep the contact list up-to-date.

Templates for use throughout the response:

• Response strategy templates to be filled out and periodically updated during the crisis.

• Communications templates that have been preapproved by legal counsel, public relations specialists, and the leadership team. These may include public notification templates to use in the event of a potential cybersecurity incident, sample communications for human resources personnel to use with employees, templates for regulator notifications, and more.

Technology to support response efforts:

• Effective detection systems. The earlier an incident is detected, the easier it is to minimize damage. Ensure that the organization has detection mechanisms in place, such as endpoint detection and response (EDR), network detection and response (NDR), antivirus, and more. Note that adversaries often strike after normal business hours, on holidays, and on weekends. It is not enough to simply have detection systems installed; today’s organizations need 24/7 monitoring for potential incidents.

• Centralized incident documentation system, such as ticketing software

• Centralized monitoring and logging systems

• Threat hunting software, such as EDR, security information and event management (SIEM), vulnerability scanners, and other tools

• Evidence preservation tools appropriate for the types of systems in use, such as imaging software/hardware and cloud-based log export utilities

• Backup and restoration tools

• Credentials and methodology for accessing:

  • Monitoring and logging systems

  • Threat hunting software

  • Backup and restoration tools

  • Network equipment

  • Cloud applications

  • Workstations, servers, and other infrastructure

Reference materials:

• Network diagrams that illustrate key servers, network devices, cloud repositories, and interconnections

• Inventory of servers, cloud assets, and key data repositories, along with information about who has administrative access

• Data and asset classification policy

• Accurate, up-to-date list of all employees, users, roles, and accounts

• List of available sources of evidence, along with retention times and prioritization guidelines for various types of incidents (Make sure to get input from the organization’s selected breach coach ahead of time.)

• Documentation describing any key dependencies or the order of operations that would be important for restoring the technology environment and access to data

• Backups and documentation of network device and server configurations, account lists, domain structure, etc.

• “Gold standard” images of workstations, servers, and network devices, to facilitate quick redeployment

• Prioritized list of business functions and systems needed to support them, reviewed and approved by the organization’s leadership in advance

• Copy of the cyber insurance policy, including a summary of key requirements that may affect the response