Incident Response Plan Template

Failing to prepare is preparing to fail.

With the world’s current state of connectivity and the sophistication of attackers, a cybersecurity incident is inevitable. Therefore, it’s no longer acceptable to only take preventative measures to our security—we need to know what to do when those fail us.

A thorough, trained, and tested incident response plan is the cornerstone. Without a plan in place, decision-making becomes easily muddled.

Many organizations struggle to create thorough plans, so we’ve templated a version of what we provide to customers of our incident response services—no strings attached.

Incident Response Plan Template

Sample of Content:

Incident Response Plan Template

The (Company) Incident Response Plan has been developed to provide direction and focus to the handling of information security incidents that adversely affect (Company) Information Resources. The (Company) Incident Management Plan applies to any person or entity charged by the (Company) Incident Response Commander with a response to information security-related incidents at the organization, and specifically those incidents that affect (Company) Information Resources.

The purpose of the Incident Management Plan is to allow (Company) to respond quickly and appropriately to information security incidents.

Event Definition

Any observable occurrence in a system, network, environment, process, workflow, or personnel. Events may or may not be negative in nature.

Adverse Events Definition

Events with a negative consequence. This plan only applies to adverse events that are computer security related, not those caused by natural disasters, power failures, etc.

Incident Definition

A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices that jeopardizes the confidentiality, integrity, or availability of information resources or operations. A security incident may have one or more of the following characteristics:

  • Violation of an explicit or implied (Company) security policy
  • Attempts to gain unauthorized access to a (Company) Information Resource
  • Denial of service to a (Company) Information Resource
  • Unauthorized use of (Company) Information Resources
  • Unauthorized modification of (Company) information
  • Loss of (Company) Confidential or Protected information
Incident Response Plan Template Sample Page 1
Incident Response Plan Template Sample Page 2
Incident Response Plan Template Sample Page 3
Incident Response Plan Template Sample Page 4
Section TitlePage Number
Version History
Contact Information6
Roles and Responsibilities7
Cyber Security Incident Handling Team (IHT)7
Chief Information Officer (CIO/CTO)7
Cyber Security Incident Response Team (CSIRT)7
IR Commander8
Incident Response Team Members8
Incident Response Framework10
Phase I – Preparation10
Phase II – Identification and Assessment10
Phase III – Containment and Intelligence10
Phase IV – Eradication10
Phase V – Recovery10
Phase VI – Lessons Learned11
Phase I – Preparation Details12
Reporting Incidents12
Phase II – Identification and Assessment13
Key Decisions for Exiting Identification and Assessment Phase17
Phase III – Containment and Intelligence17
Containment Strategies18
Common Containment Steps18
Key Decisions for Exiting Containment Phase21
Initial Cause (“Root Cause”) Investigation21
Phase IV – Eradication Details22
Key Decisions for Exiting Eradication Phase23
Phase V – Recovery Details23
Key Decisions for Exiting Recovery Phase24
Phase VI – Lessons Learned24
Lessons Learned and Remediation24
Forensic Analysis & Data Retention25
Key Decisions for Exiting Lessons Learned Phase25
Notification and Communication26
Interaction with Law Enforcement26
Regulatory Authorities26
Public Media Handling27
Plan Testing and Review27
Appendix I. Logging, Alerting, and Monitoring Activities List29
Appendix II. Two Minute Incident Assessment Reference30
Step 1: Understand impact/potential impact (and likelihood if not an active incident)30
Step 2: Identify suspected/potential cause(s) of the issue30
Step 3: Describe recommended remediation activities30
Step 4: Communicate to Management30
Appendix III. Incident Response Checklist32
Appendix IV. Notification Requirements33
State of Minnesota38
Appendix V. Media Statements41
Pre-scripted Immediate Responses to Media Inquiries41
Pre-scripted Responses41
Statement Writing Tips42
Appendix VI. Customer Letter Template45
Formal Email and/or Letter Template45
Appendix VII. Incident Response Organizations47
Appendix VIII. Containment Strategies48
Stolen credentials48
Virus Outbreak49
Appendix IX. Cyber Insurance and Third-Party Service Agreements51
Appendix X. Supporting Document List52