IT Examiner School - Oct 2025

Internal Use Only

Runbooks / Playbooks

Documented procedures should explain how technical processes and other operating procedures should be performed. Many organizations choose to create playbooks as part of documenting their procedures. Playbooks provide actionable steps or tasks for people to perform during various scenarios or situations. Formatting procedures within a playbook instead of another format can improve their usability.

See CISA Cybersecurity Incident & Vulnerability Response Playbooks [CISA-PB] for incident response playbook samples

72

Internal Use Only

NIST: Cybersecurity “Event” vs “Incident”

Cybersecurity Event Any observable occurrence that involves computing assets, including physical and virtual platforms, networks, services, and cloud environments. Examples of events are user login attempts, the installation of software updates, and an application responding to a transaction request. Adverse events are any events associated with a negative consequence regardless of cause, including natural disasters, power failures, or cybersecurity attacks.

Cybersecurity Incident An occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. [FISMA2014]

73