What Are Incident Response Policies and Plans?
Your incident response plan should be based on your incident response policy. An incident response policy defines key terms, including what constitutes an incident, and establishes time frames and priorities for reporting and responding to incidents. The policy also explains all roles and responsibilities related to incident response, including the responsibility of end users to report suspicious activity they witness. An incident response policy is short and it should be updated infrequently.
Your incident response plan should explain at a high level how your university’s incident response activities will be performed to implement the policy. The plan should also explain how incident response relates to other programs and efforts, such as contingency planning, and should provide a roadmap for improving the incident response capability over time. The National Institute of Standards and Technology has free guidance on what an incident response plan should contain.
Finally, both the policy and plan should reflect leadership’s commitment to incident response and its importance to the university community. Incident response helps protect everything from personally identifiable information to research notes, intellectual property and other confidential material. It supports the university’s students, faculty and staff, university partners, and the larger community.
What Should Go Into an Incident Response Playbook?
An incident response playbook should document incident response activities in detail that allows a budget to be created to support them. Funding should include the people, processes and technology needed to execute the plan.
Most funding related to people is typically for incident responders, whether they’re part of the university or third parties, who provide 24/7 incident monitoring, analysis and handling capabilities. However, there are other noteworthy budget items related to people, including:
- Training for incident responders, including the use of various specialized tools and techniques for forensic investigation and system recovery
- Training for security operations center personnel, IT support staff and others who may receive incident reports or personally observe suspicious activity
- Awareness for end users on how to spot incidents, how to report them and what to do (for example, powering off a computer infected with ransomware)