@dcontestiI recently did an RFP (Request For Proposal) on a Ransomware incident response plan and to show lessons learnt during that process and to indicate experience etc.

Forming an Incident Response at Stage 3 is far too late, especially for Ransomware incidents - this should already be in the Incident Playbook, practiced regularly by the team and executives.   No mention of reporting early on to the Mandatory Cybersecurity Emergency Response team, which may be a government entity or to the Privacy Commissioners Office etc.  

Step 5 is too late - minutes count in a Ransomware incident scenario, employees need to be instructed on what to do via cyber security awareness training - isolation is key to reducing the impact.  If you have to verify your backups at the point of realisation it is far too late.

There are many issues with this simplified list, nice attempt but not good in practice.

Public Relationship Officer or PR person, needs to have set messages far earlier in the process, if the attack has progressed and is indicating outages to clients outside of the organisation - prepared messages are essential not to leave it to Step 8.

I agree with Step One, however, with no training, no practice and understanding - human beings unfamiliar will often go into "headless chicken mode" regardless of gender.

Regards

Caute_Cautim

I would say what was Step 1 to be labeled something like: "Start" or "So you have a security incident ..." and then after the "Don't Panic" to add "Don't immediately pay ransom" and why.

Then, what was step 7 "Document" becomes Step 1

Then, what was step 3 "Form a response team" to be Step 2 and called "Form or activate an incident response team" and include instructions for proper notifications.

In general, the rest could follow in order...or be disregarded because of following an established incident response.

Of course, this should be simulated before having an actual incident ...