Understanding the Importance of Checklists
Whether required by industry regulations or simply implemented as part of a solid incident response program, most organizations have at least a rudimentary incident response policy in place. A carefully crafted policy lays a foundation for the entire program. This policy, however, should be viewed as the jumping off point, not the end game. A successful incident response program needs to be supported, and not just by a few policies, but by procedures, checklists, people, training and tools.
An essential part of every incident response program is a checklist. Using procedures as a guide, checklists should provide direction for those who will be carrying out the tasks. Perhaps because they are the last step in the process, or perhaps because of their need for frequent updates, incident response checklists are often overlooked, underutilized, or at best, outdated.
Responding to a security incident can be stressful and chaotic. Well-designed checklists can supplement a successful incident response plan by ensuring that personnel take prompt and consistent action under less than ideal conditions.
Deciding which topics are worthy of a checklist can be tricky. You need to make sure you cover all your bases so that ending up in a situation without a checklist for guidance is unlikely. Conversely, you do not want to create so many checklists that the incident response team ends up with checklist overload, or your checklists become overly specific and less applicable to varying scenarios. Generally, it is a good idea to create a checklist for each broad threat faced by the organization. For example, malware is a threat common to most organizations and is likely worthy of a checklist. Creating checklists for different types of malware, however, is commonly not recommended.
Elements of a successful checklist:
• Checklists should be updated frequently to be in line with the organization’s policies
and procedures, as well as industry best practices.
• Checklists should only cover the major steps to be completed.
• A checklist should only be one to two pages.
• Like policies and procedures, checklists should have appropriate approval
(management, legal, human resources, etc.).
• Anyone who may be involved in incident response in any capacity should be familiar
with the checklists (as well as policies and procedures) and should know where to find
them before an incident occurs.
• Checklists should not be used to replace training on, or testing of, the incident
• Checklists should not be overly detailed. Trying to dictate the response step-by-step
can make a checklist unwieldy.
• Checklists should supplement, not replace, the decision making of those responding
to each incident.
Check out the Solutionary cyber incident response planning checklists as a starting point on your journey to checklist nirvana. We’ve created four checklists to use in your incident response program, including:
1. Website Defacement Checklist
2. DDoS Checklist
3. Malware Checklist
4. Ransomware Checklist
Read more on Solutionary Minds about: