Behind the Firewall: 5 security leaders share incident response plans

First, it’s good you have a plan to begin with. But have you tested it?

That is, have you gathered all your stakeholders, from the C-suite to the trenches, and run through your plan? And testing it once is not good enough. Your teams and networks are constantly changing, so your plan should evolve as well with time.

When an incident occurs, that is not the time to find out if your plan works. Testing turns up simple things, like having the ability to use outside communication mechanisms. If your system gets locked down by ransomware there is a good chance your address book in Outlook will be inaccessible.

Part of testing is also getting to know your network by modeling it and examining how it’s all connected. Having a continuously updated model of your network greatly speeds up your response time.