Incident Response Steps

A Checklist of Things to Consider Before, During, and After an Incident

Incidents happen to all businesses. Because they’re unavoidable, we have to know how to handle them when they do happen. A good incident response program is paramount to the overall success of your security program.

This checklist will help you:

  • Decide what to do as you build an internal incident response program
  • Understand how to classify incidents
  • Work cohesively with an incident response provider to triage the incident
  • Execute a post-cleanup strategy
Incident Response Steps

Before the Incident

  • Understand your insurance policy
    • Someone has reviewed it
    • We know what they cover and what they won’t
  • Have a plan in place
    • Define roles
      • Public relations
        • Our messaging is tight
      • Legal
    • Define communication channels
    • Know what laws you’re bound to
      • Know how to contact law enforcement
  • Practice the plan
  • Be proactive with your security measures
    • We’ve completed an annual risk assessment
    • We’ve at least had a vulnerability scan

Incident Classification

  • We know what the incident is
  • We know what assets or systems it affects
  • We know what legal or compliance requirements we have

After Classification

  • Decide if the internal team can handle it
    • Know what your insurance policy requires
    • Follow your plan
    • Contain the incident/event
    • Call your CSIRT to help when the incident is past expertise
      • Reminder: Good at IT ≠ good at security or incident response

During the CSIRT Engagement

  • Work in tandem with the CSIRT to handle the incident wheWe asked
    • Follow the CSIRT plan & trust the CSIRT fully
    • Don’t remove anything that the team has implemented
    • Assist in containing the event when asked
    • Preserve and isolate evidence so the CSIRT can analyze it
    • Work with the CSIRT to eradicate when asked


  • Get back to where you were before it happened
    • Bring in aspects of your disaster recovery plan

Follow Up

  • Reporting
  • Regular updates with insurance
    • Days and dollars to containment
  • Lessons learned
    • Decide what to change to prevent this from happening again
    • Improve your plan
    • Get an up-to-date risk assessment