![[x 483 Header Annual Reports.jpg]]

The SEIRIM Cybersecurity Playbook is your complete plan of action to better secure your company's digital data and operations. 

The steps and solutions within are geared towards small to medium sized businesses whose needs in this space are lacking, though the concepts apply to organizations of all sizes. The key differences include recommendations opting more often for open source or economical tools where possible, instead of pushing companies on limited budgets to expensive options. 

## Goals

If you "complete" this playbook, and continue with an ongoing cybersecurity mindset and behaviors in your organization you will achieve:

- Cybersecurity awareness in your personnel making them much less likely to allow cyber attack attempts to break through.
- Resiliency in backups, alternative workflows, services and more enabling your company to keep performing key work during incidents and bounce back faster once issues are resolved.
- Plans in place so staff know what to do in advance of incidents occurring.
- Technical and operational preventions that greatly lessen the likelihood and impacts of cyber incidents.

Every needed step, action, implementation and response is covered. 

If you follow this playbook and adhere to its plan your company will be more secure and minimize losses from cyber attacks and incidents.

The Playbook is organized with the first steps and highest priorities at the top, but because in security it's important to get "everything right" as it only takes a single angle of failure to cause harm, it is necessary to address every aspect of the playbook from top to bottom.

## Step By Step

Every company's situation is different in:

- Their needs due to the size and type of the company and the resulting risks and threats profile 
- How mature is the current cybersecurity status today and ongoing process

SEIRIM's approach to cybersecurity aims to be as practical and as actionable as possible. Do the highest impact, most important mitigations first to help reduce actual risks as much as possible.

So, on one hand, we can tell you to hurry and complete some several actions, and this would be impactful, but it's better to start out with a bird's eye view of your situation and devise a plan and strategy, and a roadmap (this playbook) of actions to work through.

Critical to remember is that though we list our process in an order: 

- Some items can and should be done not necessarily in this order, depending on the situation
- The process is ongoing and iterative - every company needs to continually and routinely act on security

From top to bottom, our SEIRIM playbook walks your company through all critical cybersecurity steps, though if you're in a rush, can jump to our 'Rush Page' to just jump into some top 10 items you could do today that will have the most impact. 

In addition to following the Playbook, also use the Worksheet or adapt it to track the work and progress, found here: [Playbook Worksheet](appendix/playbook-worksheet/)

**Our Playbook steps and approach process at SEIRIM is:** 

## 1. Assess

Your company or organization will benefit from clear assessments of:

- Risks and threats that apply to your company due to your industry, size, geography
- Regulations and requirements that apply to your group due to operating location, industry, size, partner requirements, customer's rights and more
- Consider your group's valuable assets and services you rely on whose loss or degradation would have the most negative impacts
- Analyze your current security preparedness and 

[Assess Overview](1-assess/assess-overview/)

## 2. Identify

An old adage is you can't "You can't protect what you don't know", which helps point out the importance of becoming aware of any and all assets, services, dependencies and more that could negatively affect the organization if left unobserved and unprotected.

Another new mantra is "You can't secure what you don't understand" which pushes for more than just awareness, we need to look under the hood of what we rely on to protect it well.

**Tasks include:**

- Data and assets inventory
- Identify applications and services on which your business relies
- Identify users and accounts, retaining awareness of all of them but especially privileged accounts
- Identify dependencies on which critical business capabilities rely

[Identify Overview](2-identify/identify-overview/)

## 3. Protect

Once you have determined the threats to your organization and everything you need to protect, it's time to,,, protect it!

**Main Sections Include:**

- Identity and Access Management
- Backup Regimes and Recovery Readiness
- Systems Hardening and Secure Configuration
- Vulnerability and Patch Management
- Endpoint, Server, and Mobile Device Protection
- Email, Web, Cloud, and SaaS Protection
- Network, Remote Access, and Internet Exposure Protection

[Protect Overview](3-protect/protect-overview/)

## 4. Detect

The Detect section defines how the company notices suspicious activity, control failures, and signs of compromise.

This includes logging, alerting, monitoring, employee reporting, external exposure checks, and visibility across the main attack paths.

**Main Sections Include:**

- Detection Ownership and Coverage
- Logging, Alerts, and Security Visibility
- Monitoring the Main Attack Paths
- External Exposure and Control Failure Detection
- Employee Reporting, Triage, and Handoff to Respond

**Detect answers the question:**

“How will we know if something suspicious or unsafe is happening?”

Without detection, incidents can continue unnoticed until customers, vendors, banks, attackers, or external parties discover the problem first.

[Detect Overview](4-detect/detect-overview/)

## 5. Respond

The Respond section defines what the company does when a cybersecurity incident is suspected or confirmed.

This includes incident ownership, activation, triage, evidence preservation, containment, communication, escalation, external support, eradication, and safe handoff to recovery.

**Main Sections Include:**

- Incident Response Ownership and Activation
- Initial Triage, Evidence, and Incident Classification
- Containment and Immediate Risk Reduction
- Communication, Escalation, and External Support
- Eradication, Stabilization, and Safe Handoff to Recover

**Respond answers the question:**

“What do we do first, who is in charge, and how do we limit the damage?”

A good response is controlled action under pressure. The company should avoid panic, guessing, evidence destruction, uncontrolled communication, and uncoordinated technical changes.

[Respond Overview](5-respond/respond-overview/)

## 6. Recover

The Recover section defines how the company restores systems, data, access, and business operations safely.

This includes recovery ownership, recovery priorities, trusted restore sources, staged access restoration, validation, business continuity, documentation, and handoff to review.

**Main Sections Include:**

- Recovery Ownership, Priorities, and Readiness
- Restore Systems, Data, and Access Safely
- Validate Restored Systems and Business Operations
- Communication and Business Continuity During Recovery
- Recovery Documentation and Handoff to Review

**Recover answers the question:**

“How do we restore operations without restoring the incident or creating new risk?”

Recovery is not complete just because systems turn back on. Systems, data, access, security controls, backups, monitoring, and business processes must be validated before the company returns to normal operations.

[Recover Overview](6-recover/recover-overview/)

## 7. Review

The Review section defines how the company learns from incidents and converts lessons into improvement.

This includes the incident timeline, root cause analysis, control failure analysis, response and recovery performance review, improvement actions, evidence preservation, reporting, and leadership closure.

**Main Sections Include:**

- Post-Incident Review and Timeline
- Root Cause and Control Failure Analysis
- Response and Recovery Performance Review
- Improvement Actions and Control Updates
- Evidence, Reporting, and Leadership Closure

**Review answers the question:**

“What happened, why did it happen, how well did we handle it, and what must change?”

An incident is not fully closed until the company understands the cause, documents the facts, assigns corrective actions, and tracks improvements to completion.

[Review Overview](7-review/review-overview/)

## 8. Educate

The Educate section defines how the company trains employees, managers, executives, and high-risk teams to make safer decisions.

This includes security awareness ownership, core employee training, role-based training, reporting culture, simulations, tabletop exercises, training evidence, metrics, and continuous improvement.

**Main Sections Include:**

- Security Awareness Ownership and Training Plan
- Core Employee Cybersecurity Training
- Role-Based and High-Risk Team Training
- Reporting Culture, Simulations, and Practice
- Training Evidence, Metrics, and Continuous Improvement

**Educate answers the question:**

“Do our people know the risks connected to their work, and do they know what to do when something seems wrong?”

People are part of the security system. Employees should know how to recognize suspicious activity, report mistakes quickly, verify risky requests, protect data, use approved tools, and follow the company’s response process.

[Educate Overview](8-educate/educate-overview/)

## How the Sections Work Together

**These eight sections are connected:**

- **Assess** shows where the company is exposed.

- **Identify** shows what needs to be protected.

- **Protect** reduces the chance and impact of incidents.

- **Detect** helps the company notice problems early.

- **Respond** limits damage when something happens.

- **Recover** restores operations safely.

- **Review** turns incidents and near misses into improvement.

- **Educate** strengthens behavior and decision-making across the company.

The sections form a cycle that should be repeated as the business changes, technology changes, threats change, vendors change, and lessons are learned.
