The Challenge
As part of this initiative, our client appointed Bridewell to deliver a critical work package focused on the development, enhancement and implementation of Incident Response (IR) playbooks. Their key objectives included:
- Reviewing and updating existing policies and procedures to align with their transformation goals
- Assessing, amending, and creating tailored playbooks (in line with the ATC framework) to enable consistent and proactive incident management
- Improving processes to mitigate the impact of potential adverse security events
To achieve all this, our client required a partner capable of aligning their IR capabilities with their business objectives, ensuring alignment with the NIST Cyber Security Framework, and delivering actionable outputs such as training and tabletop exercises (TTX).
The Solution
To meet our client’s requirements, we employed a collaborative and structured methodology comprising three distinct phases: Discovery, Build, and Deliver.
Discovery Phase
Bridewell conducted a comprehensive assessment of the existing capabilities to lay the foundation for effective incident response. Key activities included:
Stakeholder Identification and Scoping: We identified and mapped all key stakeholders involved in the incident management and reporting processes, including internal teams and third-party providers. The output was a detailed stakeholder map to ensure all relevant parties were engaged effectively.
Review of Existing Documentation: We reviewed all existing incident response playbooks, documentation, and related materials. This allowed us to identify areas of good practice and gaps requiring remediation or enhancement.
Technology and Tools Assessment: We reviewed the technology and tools used by our client to manage, track, and support security incident management processes. The output included tool workflows and insights into process overlaps, enabling us to streamline and optimise their use.
Security Resource Review: We evaluated the capability for supporting incident management and reporting processes, including certifications, skills, and experience. This analysis extended to management and leadership roles, resulting in the creation of a resource capability model, skills matrix, and roles and responsibilities mapping.
Business Impact Assessments: We conducted assessments to identify threats and risks to known business assets and information systems. The output was a prioritised list of business-critical assets, providing a clear focus for subsequent playbook development and testing.
Build Phase
We focused on designing and developing tailored resources and scenarios to strengthen the customer’s incident response capabilities. Key activities included:
Tabletop Exercise Design: We designed realistic, business-relevant security incident scenarios to be used in tabletop exercises (TTXs). These exercises were designed to simulate real-world incidents and were simulated with relevant stakeholders.
Incident Scenario Development: Security incident scenarios were documented within the incident response playbooks (IRPs), ensuring alignment with our client’s business operations and risk profile.
Role Definition and Documentation: We identified and documented all key roles and their responsibilities, including those of the Cyber Security Incident Response Team (CSIRT) and other related roles. Contact details for key personnel and teams involved in reporting and escalation were included, ensuring these roles were aligned with our client’s operating model and organisational charts.
Integration with Existing Processes: Where appropriate, we incorporated references to related incident management, planning, and reporting processes. Links to other planning activities, such as Business Continuity and Crisis Management, were included to create a comprehensive response framework.
Testing Scenarios and Schedules: We provided related test scenarios and schedules, detailing how Post-Incident Reviews (PIRs) would be handled, reported, and authorised within the organisation. This included capturing lessons learned and managing remedial actions.
Stakeholder Agreement: Through detailed documentation within the IRPs, we ensured that all customer personnel were aware of and agreed to their responsibilities and duties as defined in the playbooks.
Deliver Phase
Bridewell transitioned our work into actionable outputs and ensured our client was fully equipped to operationalise the developed materials. Key activities included:
Playbook Delivery: We executed scenario-based TTXs with relevant stakeholders, which generated valuable feedback. These exercises led to minor comments and amendments to the playbooks, as the iterative reviews during the Build Phase had already addressed any key amendments. Following updates, the playbooks were issued for formalisation and signoff.
Playbook Finalisation: Updated playbooks were finalised, presented, and issued to the customer. They were prepared for integration into our client’s document management and IT security management systems.
Lessons Learned and Recommendations: The final outputs included a comprehensive gap analysis and a detailed set of recommendations for enhancing processes and resolving identified vulnerabilities. This ensured all personnel were aligned with their responsibilities as documented in the IRPs.
The Results
Bridewell’s approach delivered measurable improvements to our client’s incident response and recovery capabilities, including:
- Enhanced consistency in incident management processes, reducing response times and improving incident containment.
- Increased awareness and preparedness among key stakeholders through hands-on training and realistic simulations.
- Identification and mitigation of procedural and operational gaps, ensuring alignment with the customer’s business objectives and transformation goals.
- Delivery of tailored, actionable playbooks that empower our client to manage diverse cyber threats effectively.
The project was completed within a 12-week timeframe, achieving the following:
- Strengthened our client’s cyber security posture by aligning their IR processes with the NIST Cyber Security Framework.
- Fostered a culture of collaboration and continuous improvement within our client’s organisation.
- Provided sustainable tools and processes to ensure long-term resilience against evolving cyber threats.
