What makes a good Cyber Incident Plan? Let’s go through the basics.
What is the point of an Incident Plan?
A Cyber breach/incident is not a technical problem. It is a brand and reputation problem. The technical solution is a very small part of making sure your organisation deals with this incident effectively.
The Incident Plan is not a series of scenarios/playbooks to open when an event occurs. Playbooks are required, but they are the technical subset of the problem. I will deal with playbooks in a later post.
An incident plan guides the incident team on who needs to be involved, when, why, what the respective roles and control points are, how communications are channelled and who has responsibility for what elements of the plan.
The Incident Manager Role
The incident manager is not a meeting facilitator, nor a minute taker. These roles are required too, but it detracts from the key role of the incident manager. The key role of the Incident Manager is to provide air traffic control. Things will be taking off and landing on a regular basis, and you want someone to make sure things don’t crash into each other. Some things need to be given priority; some things need to wait for a landing slot. This is the key role of the incident manager.
What’s in the Plan?
The plan will tell you what facilities you need in terms of face to face meetings and VoIP meetings. You may not have the luxury of having everyone in the same room, so knowing how to set up an effective command and control point in both cases is necessary. What equipment you will need, which conference room you will hijack, what supplies you will need (i.e. more than just coffee).
Communications
Bridge conference numbers, Whatsapp incident group setup (other IM apps are available) , mobile numbers for SMS and calls, and any other relevant ways of communicating that your company want to set up to make sure all of the incident team are kept informed.
External help
Need to report to the Police? In the UK, this is ActionFraud on 0300 123 2040. Do you have your physical location address to hand? You will be surprised how many people work permanently at a location they do not know the full postal address for. Think about the questions that the Police will ask you and have that basic information in the plan. Like your domain name, your ISP, your network service provider contacts, etc. Who will be the Police liaison point? (usually the incident manager)
Do you have Cyber Insurance? The Insurer may want you to go through a particular process to make sure any claim is not invalidated. Understand what that needs to be and incorporate it in the plan.
Command & Control
Make sure it is clear who leads on each area of responsibility. If the Head of External Comms has responsibility for all external communications, the incident manager and the rest of the team will know who to contact for the latest on any external requests from media etc. By creating these conduits, you will always know who has the full view of a particular area. No chance of rogue comms, or old/outdated messaging.
Set up the same for HR (it could be that you have lost all your employee data), IT (someone will have to fix something somewhere), legal (you may have client contractual issues, regulator requirements and there may be a class action lawsuit in the making), the Data Protection Office (on behalf of a regulator, but GDPR has now segregated in terms of reporting requirements).
Third Parties
How many third parties will need to be managed? If you have outsourced a lot of IT, networks, HR, your incident management becomes a lot of cat herding. Understand your particular circumstances and put it in the plan.
All these points need time to construct, and the cyber incident plan is there to make sure all of the items are handled and there is no delay applied to actually trying to solve the problem at hand.
