An incident response plan is a high-level overview of how to identify, investigate, contain, remediate, and recover from a cyber security incident. It is vital that your organization has one and that you know how to use it so you are well-prepared for when a potential disaster strikes.
To help you out, we have created a comprehensive incident response plan template that you can customize to suit your organization’s needs. It includes everything you need to effectively respond to an incident, from clear roles, responsibilities, and incident classification to processes and communication plans.
The complete incident response plan template has been packaged and is ready to use now as a PDF or Google Doc. Download and enjoy!
Table Of Contents| Approved By | |
| Owner | Head of Cyber Security |
| Author | |
| Audit | Information Security Team |
| Issue Date | |
| Document Name | Cyber Incident Response Process |
| Version | 1.0 |
| Document Class | Restricted |
| Distribution | Google Drive | OneDrive | Sharepoint> |
| Version | Author | Notes | Date |
|---|---|---|---|
| 1.0 | Document Creation |
Cyber attacks have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services. This document provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. Continually monitoring for attacks is essential. Establishing clear procedures for prioritizing the handling of incidents is critical, as is implementing effective methods of collecting, analyzing, and reporting data. It is also vital to build relationships and establish suitable means of communication with other internal groups (e.g., human resources, legal) and with external groups (e.g., other incident response teams, law enforcement). This document describes the process by which any cyber security incident is managed and includes the high-level procedure for each step. This process will be initiated as an action from the overall incident management process, either as an internal ticket or as an action identified by a third-party provider.
The purpose of this Cyber Security Incident Response Plan is to establish that is well-prepared to effectively and efficiently manage cyber incidents. Cyber security incidents are becoming more frequent and sophisticated, with no organization immune from the potential threats they pose. It is imperative that organizations are adequately prepared to detect, prevent, and respond to such incidents promptly. This comprehensive plan ensures is ready to address inevitable cyber incidents. It contains a structured approach that ensures the appropriate resources are allocated efficiently, roles and responsibilities are clearly defined, and a thorough methodology for the detection, containment, eradication, recovery, and post-incident analysis of incidents is followed. The primary objective of the Cyber Security Incident Response Plan is to ensure that is well-prepared and organized to respond to cyber security incidents. It will minimize the impact of incidents and reduce recovery time after an incident occurs.
This Cyber Security Incident Response Plan applies to all IT assets that fall under the jurisdiction of . This includes networks, computer systems, data, and personnel (e.g. employees, vendors, contractors). This document establishes incident handling and incident response capabilities and determines the appropriate response for common cyber security incidents. This document is not intended to provide a detailed list of all activities that should be performed in combating cyber security incidents.
The Cyber Security Incident Response Plan uses the following key terms to describe the incident response process. Ensure you are familiar with their definitions.
| Key Term | Definition |
|---|---|
| Cyber Incident | Any incident that occurs by accident or deliberately that impacts business processes or IT systems. An incident may be any event or set of circumstances that threaten the confidentiality, integrity, or availability of computer systems, networks, services, or data within . This includes unauthorized access to, use, disclosure, modification, or destruction of data or services used or provided by . |
| Malware | Malicious software is any software or code that is designed to harm, exploit, or compromise computer systems, networks, or user data. |
| Ransomware | A type of malware that is designed to encrypt a victim’s computer system to lock them out of their data. The attacker will then demand a ransom for the release of said data. |
| Denial of Service (DoS) | A cyber attack that aims to make a remote service unavailable to its intended users by flooding the service with illegitimate requests. |
| IT | Information Technology |
| IRT | Incident Response Team |
| DFIR | Digital Forensics and Incident Response |
| CISO | Chief Information Security Officer |
| EDR | Endpoint Detection Response (EDR) is a security tool that is installed on endpoint devices (e.g. laptops, desktops, mobile phones) to detect and block malicious activities. |
| WAF | Web Application Firewall (WAF) is a special type of firewall designed to protect web applications from cyber attacks. |
| IDS / IPS | Intrusion Detection System (IDS) is a security tool installed within a network to detect potentially malicious activity. An Intrusion Prevention System (IPS) is installed in a network to block potentially malicious activity. |
| AV | Anti-Virus (AV) is software designed to protect computer systems and networks from malicious activities. |
| Phishing | An attack technique where an attacker will pose as a trustworthy source to deceive a victim into divulging sensitive data, clicking on a link, or executing malware. Phishing can be done through email, text messages, phone calls, or social media messages. |
| Botnet | A network of Internet-connected devices that have been taken over by malware that connects to a central command and control (C2) server. A threat actor will use a botnet to perform various cybercriminal activities, such as a Distributed Denial of Service (DDoS) attack. |
| Confidentiality | Confidentiality refers to the protection of sensitive or private information from unauthorized access or disclosure, either maliciously or accidentally. It is part of the cyber security CIA triad and a fundamental pillar of ’s business operations to defend against attacks. |
| Integrity | Integrity is the assurance that computer systems, networks, services, and data are accurate, reliable, and trustworthy. They have not been altered or tampered with by unauthorized individuals. It is part of the cyber security CIA triad and a fundamental pillar of ’s business operations to defend against attacks. |
| Availability | Availability refers to ensuring that computer systems, networks, services, and data are readily accessible and useable when needed by authorized authorities. It is part of the cyber security CIA triad and a fundamental pillar of ’s business operations to defend against attacks. |
| Exploit | A piece of software or code that can take advantage of a vulnerability or security weakness in a computer program, operating system, application, or network to carry out malicious actions. |
| Vulnerability | A weakness or flaw in a computer program, operating system, application, or network that can be exploited by a threat actor to compromise the confidentiality, integrity, or availability of the system. |
| Zero-day | A software vulnerability or security flaw in a computer program, operating system, or application that a vendor has not released a patch or security update to fix and can be exploited by a threat actor. |
| IOCs | Indicators of Compromise (IOCs) are artifacts or evidence that are left behind after an intrusion by a threat actor. They are used to identify or detect if a security breach has taken place, who is responsible, and help to mitigate threats. |
| SLA | A Service Level Agreement (SLA) describes the guaranteed measure of service availability provided by or a third-party contractor. Usually, financial repercussions occur if the service availability drops below the prescribed SLA. |
| War Room | A war room (a.k.a command center or situation room) is a dedicated meeting room where key decision makers and members of the IRT gather to collaboratively and rapidly respond to an incident. |
| Stakeholder | An individual, group, or organization with an interest, concern, or influence in a particular issue or project. Stakeholders can be internal or external, and it is important to identify and communicate critical decisions with them. |
| Threat Actor | An individual, group, or organization that threatens the security, confidentiality, integrity, or availability of ’s systems, network, or data. They could be a criminal gang, nation-state, or political activist. |
| C2 | Command and Control (C2) server is used by a threat actor to control systems they have infected with malware. |
| PUP | A Potentially Unwanted Program (PUP) is software that poses a risk to a system or network but is not strictly defined as being malicious. |
This commitment to responding to cyber security incidents promptly is a fundamental element of our company’s cyber security strategy. It underlines our dedication to maintaining trust, protecting data, and minimizing the potential impact of security incidents on our organization and its stakeholders.
The team that is assigned to perform the incident response process is defined in the following table, along with their roles and responsibilities.
| Role | Responsibilities | Contact Details |
|---|---|---|
| Incident Response Manager | Distribution of work/priorities, coordinating response activities, and logging updates on the case management platform. | |
| Head of Security Operations | Identify risk and associated priorities and work with relevant stakeholders to provide internal comms and training. | |
| Lead Security Analyst | To analyze how the incident is taking place, categorize the incident, and collect all logs and information as evidence. | |
| IT Representative | Action shutting down any systems and accounts. Provide any logs for endpoints or networks owned by IT. | |
| Legal Advisor | Approve communications and approve the wording of reporting to governance organizations. | |
| PR/Communications Officer | Responsible for major incident communication to key stakeholders and press. | |
| Data Protection Officer | To advise the business about the identification and disclosure of a data breach to governance organizations. | |
| Digital Forensics Partner | To assist in the analysis, containment, eradication, and recovery from a cyber incident. Provide technical expertise in preserving forensic data which may need to be used for prosecution. | |
| CISO | Accountable executive for protecting cyber security within the organization. Responsible for reporting to board directors and other executives. |
It is important to keep the contact details of the IRT members up-to-date so they can be quickly reached whenever a cyber incident arises.
Each cyber security incident needs to be accurately identified so that the incident response team can respond to the incident using the appropriate analysis, containment, eradication, and recovery procedures.
The process for identifying potential security incidents at is to monitor for alerts on the following systems:
Once an incident is detected, it is managed using the case management platform .
It is important to accurately classify all cyber security incidents based on their severity, their impact on the organization, and the urgency in which they need to be responded to. The following Incident Severity Matrix provides a matrix to classify an incident’s severity based on its impact on the organization. Use it to assign a severity to each cyber incident.
| Severity | SLA | Description | Impact |
|---|---|---|---|
| P1 Critical Incidents | Response time: 20 minutes |
Once an incident has been assigned a severity, it is classified using the following Incident Classification Matrix. This is so that incident responders can apply the appropriate analysis, containment, eradication, and recovery procedures to respond to the incident effectively.
| Incident Classification | Description |
|---|---|
| Ransomware | Software that is designed to encrypt a system and hold it for ransom. Detected on endpoint systems or reported by an employee. |
| Denial of Service (DoS) | A flood of traffic designed to take down a website. Can also apply to phone lines, other Internet-facing systems, or internal systems. Identified through network traffic or reported by an employee. |
| Phishing | Emails, SMS messages, or phone calls that attempt to convince an employee to click on a link, download an attachment, or divulge sensitive information. Reported by an employee. |
| Unauthorized Access | Access to systems, accounts, or data by an unauthorized person (internal or external). Detected by endpoint systems or seen in network traffic. |
| Data Breach | Lost/stolen devices or hard copy documents; unauthorized access and exfiltration of data over the network. Detected by endpoint systems, seen in network traffic, or reported by an employee. |
| Potentially Unwanted Program (PUP) | Software that is considered suspicious and may contain hidden malware (e.g. games, crypto-tools, etc.). Detected on endpoint systems. |
| Malware | Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. Detected on endpoint systems. |
| Suspicious Network Communication | Communication with a suspicious or malicious IP address or domain name (e.g. C2 server, TOR node, botnet, etc.). Detected by endpoint systems or seen in network traffic. |
| Hacking Tool | Software that could be used to gain unauthorized access to computer systems, networks, or data. Detected by endpoint systems. |
| Scanning | Unauthorized, abnormal, or suspicious network traffic that is designed to scan a range of IP addresses for vulnerabilities, open ports, or services on target systems. Seen in network traffic. |
| Brute Force Attack | A flood of network traffic that systematically tries all combinations of passwords or encryption keys to gain unauthorized access to a computer system or account. |
| Test | Testing activity that is designed to emulate a cyber incident so that detections or mitigations can be implemented to protect against it. |
adheres to the common cyber incident resolution structure which includes the following phases:
Each of these phases are detailed below.
Preparation is the process of readying the organization for a cyber attack. It involves implementing preventative measures, regularly testing these measures, and training employees to respond effectively to cyber incidents.
To effectively prevent cyber incidents, implements the following measures:
Detection and analysis involves the identification and investigation of cyber incidents. This includes incident triage to determine the severity of an incident and root cause analysis to assess the incident’s impact on the organization.
uses the following methods to detect and analyze cyber incidents:
The containment phase involves stopping any further damage to the business and/or its IT systems and preventing the situation from becoming worse by removing the direct threat from the environment.
To contain incidents, has the ability to isolate impacted endpoint machines and networks.
Once contained, the eradication phase can begin. This phase involves re-instating affected systems to their original operational status. Methods include rebuilding systems from a previous backup and resetting compromised accounts.
After eradication, the recovery phase begins. Systems are re-introduced back into the larger IT environment and brought back to a fully functioning status. An increased level of monitoring should be implemented during the recovery phase, and, if necessary, patches should be installed to prevent any further exploits.
After has recovered from a cyber incident, the post-activity phase can begin. This phase involves a comprehensive assessment of how a cyber incident occurred. It includes holistically assessing the failures in the people, processes, and technology designed to protect the organization from cyber threats and learning from these failures.
All lessons learned from the incident should be documented, and processes started to implement mitigations to prevent the incident from happening again.
The Cyber Security Incident Response Communication Plan outlines the strategies, procedures, and roles for effective communication during cybersecurity incidents. The plan aims to maintain transparency, inform stakeholders promptly, and facilitate efficient collaboration among IRT members.
Documentation and Record Keeping:
Testing and Drills:
To effectively prepare for cyber incidents, is dedicated to ensuring employees are aware of the risks posed by cyber threats. The company is also dedicated to providing employees tasked with defending the organization from cyber threats with the appropriate resources and training required to perform this task.
To meet these objectives, has the following programs in place to prepare employees for responding to incidents.
Employee Awareness Programs:
Employee Training Programs:
The Cyber Incident Response Plan will be reviewed and updated regularly.
| Auditor | Information Security Team |
| Review Period | Annually or as required |
| Review Date | |
| Next Review Date |
Provide a template for documenting incidents.
| Role | Name | Title | Phone | |
|---|---|---|---|---|
| Incident Response Manager | ||||
| Head of Security Operations | ||||
| Lead Security Analyst | ||||
| IT Representative | ||||
| PR/Communications Officer | ||||
| Data Protection Officer | ||||
| CISO |
| Role | Name | Title | Phone | |
|---|---|---|---|---|
| Digital Forensics Partner | ||||
| Legal Advisor |
Provide forms for documenting actions taken during an incident response.
A comprehensive incident response plan is vital for the success of your organization’s cyber security program. It contains instructions on handling an incident, including the policies, procedures, and technologies you can use to avert a potential disaster.
We have provided you with a complete incident response plan template that you can tailor to your organization’s needs and make your own. If you want to learn the skills required to use an incident response plan effectively, check out our StationX Accelerator Program. The program is packed with personalized career roadmaps, dedicated mentorship, and courses to build your incident response skills.
