• The CrowdStrike Incident Response Executive Preparation Checklist is a template to help organizations consider the roles of their executives before, during and after an incident.
• CrowdStrike tabletop exercise delivery teams have leveraged this checklist in engagements with Fortune 500 leadership and Boards of Directors.
• The checklist addresses our most common findings from tabletop exercises: undefined responsibilities for executives, lack of out-of-band communications, missing guidance on conducting investigations under privilege, uncertainty around engaging the Board of Directors and failure to call on third-party support at the appropriate times.
• Download the CrowdStrike Incident Response Executive Preparation Checklist.

Within your incident response plan, there typically is (or should be) a trigger to notify your executive team of an impending crisis. While many organizations believe they’ve worked out the logistics of gathering leadership on the phone, getting decisions made, and garnering their support for your proposed response plan, they often find out in the heat of an incident that the leadership team is miles apart in your understanding of what happens next. Does the CFO know to respond to the text notification to join the bridge? Is the CEO willing to accept advice from a breach coach and external counsel? Is the leadership team well-versed on the new U.S. Securities and Exchange Commission (SEC) rules on cybersecurity incidents? 

Of course, this is why you write plans in the first place: to make sure everyone is on the same page about how to respond. But the reality is incident response plans are long, cumbersome documents. If your executives did read the plan, they’re not likely to remember the details by the time an incident rolls around. That’s why many organizations have begun to develop executive checklists or “tear sheets” that briefly summarize major actions and who is responsible. 

Creating a quick reference for executive leaders is one of the most common recommendations CrowdStrike’s Professional Services team makes when conducting tabletop exercises with our customers. So much so that we built a template to share.  

This incident response executive checklist directly speaks to how the security organization can prepare the company’s most influential responders: their C-suite. The ability to engage executives — with their human biases and predispositions — directly affects the success of the security organization during an incident. The checklist draws from our experience both responding to incidents and conducting tabletop exercises with leadership teams. It addresses our most common findings from tabletop exercises: undefined responsibilities for executives, lack of out-of-band communications, missing guidance on conducting investigations under privilege, uncertainty around engaging the Board of Directors and failure to engage third-party support at the appropriate times. The result is a distilled list of key steps we recommend organizations take before, during and after an incident. 

How to Use the Checklist

This checklist provides a starting point. It identifies many of the common crisis management activities business leaders or executives should consider when responding to a cybersecurity incident. It should be updated to focus on the activities that are most important to your organization and should identify the parties responsible for doing them. You may also consider developing checklists specific to each key leadership role to focus on their responsibilities and clarify who does what.

The checklist contains the following sections:

• Before an Incident: The checklist starts with the actions you should be taking now before you’re in an active incident. This section emphasizes the importance of testing and training with regular tabletop exercises and identifying the third parties you plan to call for help, such as a digital forensics and incident response (DFIR) provider.
• During an Incident: Next, the checklist walks you through the actions different leaders must take once an incident has been declared — from the legal team invoking privilege to the compliance team evaluating contractual and regulatory requirements. This section makes sure your teams don’t forget key obligations in the heat of an ongoing investigation. 
• After an Incident: Incidents don’t end once a threat actor is eradicated from the environment. Executives deal with the reputational and financial fallout that often accompanies major breaches. This section describes after-action processes and considerations. 

Your best defense is preparation. How you educate and engage your executive leaders directly impacts the success of your response to an incident. Adapting the CrowdStrike Incident Response Executive Preparation Checklist to your organization — and practicing with regular tabletop exercises — is key to enhancing your readiness. 

Additional Resources

• Discover more about CrowdStrike’s Proactive Services to help you prepare for cybersecurity incidents. 
• Learn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your organization, workers and data, wherever they are located.
• Visit our Industry Recognition and Technology Validation webpage to see what industry analysts are saying about CrowdStrike and the Falcon platform. 
• Get a full-featured free trial of CrowdStrike Falcon Prevent and see for yourself how true next-gen AV performs against today’s most sophisticated threats.