Security Incident Response Plans: Six Essential Steps for Success

Author: Delta Risk’s Ryan Clancy
Author: Delta Risk's Ryan Clancy

Last fall, I spoke at the ASIS 63rd Annual International Conference about creating an actionable cyber security incident response plan that is tested and proven. Considering ASIS is more focused on physical security, I kept my recommendations focused on incident response in general. As I looked at “cyberizing” the recommendations, I discovered there isn’t much I would adjust for a physical security incident response plan.

In today’s cyber climate, it isn’t a question of if you’ll experience an incident. It’s a matter of when it’ll happen. When a security incident strikes, you’ll need a well-prepared staff coupled with a battle-tested plan. However, 56% of executives believe their incident response plan is immature.

Here are a few tips to create and maintain an actionable response plan:

1. Use Action Words

 This might seem obvious, but it is the most overlooked part of any plan. When you’re writing, try to use active verbs in the main body of your text. For example, rather than talk about “containment,” use the word in its imperative form, “contain.”  This approach won’t work for all sections of your plan but should be a focus of your main body.

2. Limit the Amount of Gold Plating

When your responders and incident managers are looking for guidance on how to handle an incident, don’t make them go through a preface, scope page, objectives page, biography of each member of the team, introduction, letter from the CEO, letter from the CIO, preamble, definition of terms, a signed poster from WHAM!, EULA, redefinition of terms, legal warning, letter from the President of Antarctica…you get the idea. Limit your boilerplate information to one, maybe two pages at the most. As soon as your responders need to act quickly, they shouldn’t have to look very far.

3. Practice the Plan

It’s important to exercise your plan full of action words. I recommend running four exercises a year or one a quarter across the company. At least one exercise should be cyber-focused, one should concentrate on a natural disaster, and the other two should revolve around the issues de jour. I also recommend four exercises a year that are specific to your IT and security teams. One full-scale functional exercise, one tabletop exercise, and two no-notice drills on a hot topic. Ransomware anyone?

4. Avoid Scope Creep

When people find out that C-suite executives have their eyes on an incident response plan, they’re going to try to toss everything including the kitchen sink into it. I’ve seen all types of policy initiatives and power grabs occur that would rival the U.S. Congress. Remember that your incident response plan shouldn’t be the place where your staff tries to sneak in ideas for implicit approval to receive funds or reshape policy.

5. Assume the Plan is Only a Starting Point

Not only do you NOT have to guess the intimate details of an incident correctly, you shouldn’t try. Acknowledge in the beginning that you aren’t going to cover everything from a meteor strike to a tornado slamming into a handgun factory. Your crystal ball is “in the shop” and that’s okay. Cover likely situations, and focus your time and energy on setting your team up with a solid starting point rather than predicting every outcome and path towards resolution. For example, set up a simple table with some likely meetings such as “10 AM Sync Brief” or “11 AM Executive Update.” Keep the details general since it’s only a starting point and will certainly be modified to fit the circumstances at hand.

6. Use and Abuse your Knowledge Management System

In order to keep your incident response plan lean, actionable, and focused, only keep links to documents such as policies and operations procedures rather than pasting the full document. Use your knowledge management system (SharePoint, Jive) to be your one source of truth for documentation. Otherwise, your incident response plan will look like someone overturned a Golden Corral buffet table onto the floor — a hot smelly mess.


Incident response planning is the most effective security investment you can make of your time and money. Having an actionable incident response plan is also key to quickly mobilizing resources and getting back to a fully functional business state. A well-prepared staff is equipped to resolve an incident. Moreover, preparation time fosters team building and can help you identify gaps in your day-to-day operations.

If you’re looking for additional tips to create an effective and practical incident response plan that integrates with your current business continuity plan, check out our blog "4 Ways to Integrate Your Cyber Security Incident Response and Business Continuity Plans."

Ryan Clancy is managing consultant at Delta Risk. Read more Delta Risk blogs here.