Time to Give Your Incident Response Playbook a Checkup!

As Spring turns to Summer and the cyber threats heat up just like the weather. It’s time to give your Incident Response (IR) playbook a checkup – same as your A/C system.

Here are the areas to do a quick check in your IR Playbook.

  • VERIFY CONTACT INFORMATION. Your IR Playbook should include all responder and stakeholder contact information as well as alternate phone numbers and email addresses for possible out-of-band communications (in the event your internal emails are compromised). Your contact list should also have alternative responders and stakeholders identified in the event of primary personnel are unavailable.

The below information is the recommended minimum for contact information data. Please ensure hardcopy and alternate media backup!

IR Function/Role

– Name
– Phone Number
– Mobile Number
– Home Number
– Home Address
– Office email
– Alternate email
– Alternate Contact
– Alternate Contact Phone
– Alternate Contact Mobile
– Alternate Contact Home Number
– Alternate Contact Home Address
– Alternate Contact Office email
– Alternate Contact Alternate email

  • AUTOMATED NOTIFICATION. If you use an automated notification methodology like “Send Word Now” or some other critical notification system, now is the time to test and validate all the phone numbers and email addresses as well as the alternate responder and stakeholder’s contact information.
  • TEST AND EVALUATE. When testing, make sure everyone is aware that it is a “Test of the Incident Response Notification System.” They will get and need to respond to all alerts to confirm contact information is up to date.
  • VALIDATE RESOURCE AVAILABILITY. If you leverage “ad-hoc” resources in your IR program (i.e. forensic examiners) now is the time to validate these resources are still available and agreeable to the continued responsibility – their managers need to approve this commitment prior to the actual need. Include their information like the above in your IR playbook – include them in the test and notification system directory as well.
  • INFRASTRUCTURE CHANGES. Your checkup should include a review of any infrastructure changes or additions to validate your continued security controls (i.e., port scans, whitelist/blacklist settings, anti-virus versions, patch management, etc.) and capability to identify compromises. You also want to validate any Cloud applications and security event reporting – is the cloud provider sending you information for you to integrate into your analysis engines – there could be some trending that might be identified as targeting both on and off premises systems.
  • BUSINESS OPERATIONS CHANGES. The IR Playbook and Operational Procedures Manual should be reviewed and validated yearly or when any significant changes occur in business operations. For example, recent business changes such as a merger or acquisition should trigger the review and changes to the notification contact list as well as a review of the BCP.
  • BUSINESS CONTINUITY PLANNING. Your playbook should identify the mission critical applications as identified in your Business Continuity Plans (BCP). Having IR Playbook information linked will ensure you address the responses needed for the appropriate systems should prioritization become an issue. Keeping the BCP up to date will provide immeasurable support to IR activities, reduce confusion, and mitigate risk.
  • LEADERSHIP INCLUSION. It’s important to have your IR playbook supported by senior leadership. Ensure corporate leadership is on the automated notification system. Inclusion will accomplish a second objective – providing situational awareness and gaining decision-maker engagement with consistent and timely information delivery.

If you are having challenges updating or creating your Incident Response Plans, Operational Procedures, or Business Continuity Plans, the Virtual CISO Program at Zofia Consulting can assist getting all required plans, processes, and procedures in order.

Chuck McGann
Senior Advisor, Zofia Consulting LLC
Former CISO United States Postal Service

Contact Chuck McGann

Charles L. (Chuck) McGann, Jr., is nationally recognized information security professional and senior advisor to Zofia Consulting. Chuck leads the Virtual CISO™ Program at Zofia Consulting and focuses on small to mid-sized organizations providing guidance in solidifying Cybersecurity programs and compliance requirements.  Chuck’s broad range of experience from Policy and Procedures creation and review through Incident Response and Threat Mitigation ensures companies are prepared to handle any variety of cybersecurity challenges.

Chuck is the former Corporate Information Security Officer (CISO) for the United States Postal Service (USPS). In this capacity, he secured one of the largest maintained intranets by any organization in the world, with over 200,000 workstations; over 45,000 retail terminals; more than 16,000 servers and over 220,000 Mobile Delivery Devices. The USPS infrastructure encompasses over 600 business applications that support all aspects of business operations as well as movement of the mail.

In his 28 years with the Postal Service, Chuck held numerous positions, Including: Manager, Information Systems, Acting Postmaster, Business Systems Analyst, Business Project Leader, Distributed Systems Security Specialist, Manager, Information Security and Incident Response Team Manager.

Over his distinguished career has received numerous awards and recognition. He belongs to various national, regional, and local organizations such as the Government Technology Research Alliances’ group, FBI InfraGard, National Security Agency (NSA), and Information System Audit and Control Association (ISACA) to name a few.