Incident Response Checklists

Understanding the Importance of Checklists

John Moran

March 29, 2016 - Posted by John Moran to Security Insight


Whether required by industry regulations or simply implemented as part of a solid incident response program, most organizations have at least a rudimentary incident response policy in place. A carefully crafted policy lays a foundation for the entire program. This policy, however, should be viewed as the jumping off point, not the end game. A successful incident response program needs to be supported, and not just by a few policies, but by procedures, checklists, people, training and tools.

An essential part of every incident response program is a checklist. Using procedures as a guide, checklists should provide direction for those who will be carrying out the tasks. Perhaps because they are the last step in the process, or perhaps because of their need for frequent updates, incident response checklists are often overlooked, underutilized, or at best, outdated.

Responding to a security incident can be stressful and chaotic. Well-designed checklists can supplement a successful incident response plan by ensuring that personnel take prompt and consistent action under less than ideal conditions.

Deciding which topics are worthy of a checklist can be tricky. You need to make sure you cover all your bases so that ending up in a situation without a checklist for guidance is unlikely. Conversely, you do not want to create so many checklists that the incident response team ends up with checklist overload, or your checklists become overly specific and less applicable to varying scenarios. Generally, it is a good idea to create a checklist for each broad threat faced by the organization. For example, malware is a threat common to most organizations and is likely worthy of a checklist. Creating checklists for different types of malware, however, is commonly not recommended.

Elements of a successful checklist:

     •  Checklists should be updated frequently to be in line with the organization’s policies
         and procedures, as well as industry best practices.
     •  Checklists should only cover the major steps to be completed. 
     •  A checklist should only be one to two pages.
     •  Like policies and procedures, checklists should have appropriate approval
        (management, legal, human resources, etc.).
     •  Anyone who may be involved in incident response in any capacity should be familiar
        with the checklists (as well as policies and procedures) and should know where to find
        them before an incident occurs.

Checklist pitfalls:

     •  Checklists should not be used to replace training on, or testing of, the incident
         response plan.
     •  Checklists should not be overly detailed. Trying to dictate the response step-by-step
         can make a checklist unwieldy. 
     •  Checklists should supplement, not replace, the decision making of those responding
         to each incident.

Check out the Solutionary cyber incident response planning checklists as a starting point on your journey to checklist nirvana. We’ve created four checklists to use in your incident response program, including:

     1. Website Defacement Checklist
     2. DDoS Checklist
     3. Malware Checklist
     4. Ransomware Checklist

Read more on Solutionary Minds about:

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)