What is an Incident Response Playbook?

The short answer is that it’s a set of instructions to follow when the unexpected occurs.

These instructions are relevant to just about any situation that a business may face. They can encompass things like “what to do if our CEO is hospitalized or dies unexpectedly”.

As an IT service provider, we obviously tend to focus our playbooks on items that are directly related to business technology.

For example, what do you do if your VOIP (voice over IP) phone system goes down? Where do the calls go? Do you have an option to forward them to a specific employee?

Mitigating Security Concerns after an IT Incident

Diving a little deeper into our specific specialty, we will look at security concerns and incident response related to IT Security. What do you do when your server or PC is breached with ransomware?

What an IT Incident Response Playbook Looks Like

Incident response playbooks generally have very specific instructions along with a data flow diagram. They will cover all potential possibilities with a response to each.

So, why do we care? In our industry, we have seen many instances where businesses were unprepared for a ransomware attack and weren’t even sure where to start. The goal of any incident response playbook is to be ready for the unexpected so work can continue as much as possible.

Incident Response: Ransomware

In the case of a ransomware attack, once a user recognizes that their system or server has been compromised, the first thing to do is to turn it off and remove it from the network. Then:

• You need to verify the infection type and begin the cleaning process.
• Our plan assumes that backups are being done. If they are not, that is the first step to any IT plan. Backups are essential to all IT solutions. Without them, any “incident” could be catastrophic. How you handle your backups is also a concern, but that conversation is for a different incident response plan.
• Data Flow Diagrams. I think it’s fair to say that data flow diagrams do not require to much of an explanation. If they do, additional information needs to be added but we would recommend that all incident response plans include information on “who to contact immediately” and “next steps”.

Our job is to help prepare our customers for the scenarios know to cripple business networks. An ounce of prevention is always worth a pound of cure. The adage is doubly true when it comes to network security.