Incident Response Plan 101: The 6 Phases, Templates, and Examples

cover-img

What is an incident response plan?

An incident response plan (IRP) is a set of instructions that helps IT staff respond to, detect, and recover from network security incidents. The goal of an IRP is to minimize the impact of a security incident on an organization.

An IRP can help an organization:

The primary steps in an IRP include:

The U.S. National Cyber Incident Response Plan (NCIRP) is an example of a government-driven approach to handling major cyber incidents. It addresses the role of the private sector, state and local governments, and federal agencies in responding to incidents.

Need an incident response solution? Request an incident response demo.

Why is an incident response plan important?

The Ponemon Institute’s Cost of Cyber Crime Study showed that the typical organization experiences an average of 145 security incidents per year and spends $13 million annually year to defend itself. An effective response process can act to significantly reduce these costs. Incident response planning also protects your company’s reputation. IDC found that 80% of consumers would take their business elsewhere if directly affected by a data breach. If a security breach is not handled properly, the company risks losing business, as well as investor and shareholder confidence.

Additional benefits of incident response plans include:

What are the incident response steps?

According to the SANS Institute’s Incident Handlers Handbook, there are six steps that should be taken by the Incident Response Team, to effectively handle security incidents.

1. Preparation – Perform a risk assessment and prioritize security issues, identify which are the most sensitive assets, and which critical security incidents the team should focus on. Create a communication plan, document roles, responsibilities, and processes, and recruit members to the Cyber Incident Response Team (CIRT).

2. Detection and analysis– The team should be able to effectively detect deviations from normal operations in organizational systems, and when an incident is discovered, collect additional evidence, decide on the severity of the incident, and document the “Who, What, Where, Why, and How”.

3. Containment – Once the team identifies a security incident, the immediate goal is to contain the incident and prevent further damage:

4. Eradication – The team must identify the root cause of the attack, remove malware or threats, and prevent similar attacks in the future. For example, if a vulnerability was exploited, it should be immediately patched.

5. Recovery – The team brings affected production systems back online carefully, to ensure another incident doesn’t take place. Important decisions at this stage are from which time and date to restore operations, how to verify that affected systems are back to normal, and monitoring to ensure activity is back to normal.

6. Post-incident activity – This phase should be performed no later than two weeks from the end of the incident, to ensure the information is fresh in the team’s mind. The purpose of this phase is to complete documentation of the incident, investigate further to identify its full scope, understand where the response team was effective, and areas that require improvement.

7. Further testingAfter an incident has been resolved and post-incident activities are completed, further testing is crucial to validate the effectiveness of the response plan. This involves running simulations and drills to test the incident response processes, ensuring that all team members are familiar with their roles and responsibilities.

Incident response planning typically includes:

An incident response plan forms the basis of your incident response cycle:

Incident Response Plan 101

1051 E. Hillsdale Blvd.
4th Floor
Foster City, CA 94404