Skip to main content
Incident Response Plan

What is an Incident Response Plan? 

An Incident Response Plan is a structured and documented plan of action for how an organization will respond to security incidents. A good Incident Response Plan establishes the organization, actions, and procedures needed to identify and respond to an incident, perform the appropriate escalation and notification and ultimately resolve the incident.

The plan should include classifying the various types of physical security incidents and the types of notifications. The decision-makers are for additional escalation and action. This document will consist of procedures for each escalation, decision-making criteria, and next steps in some organizations. Because not all incidents are created equal, it is essential to have the requirements ahead of time to impact your response and who the escalation point or decision-maker is in different situations. The plan should include identifying any changes that should be made to protection, detection, or response in the future.

Incident Response Plan Frameworks

There are two primary frameworks for incident response processes, NIST and SANS. While there are some minor differences, they both cover the same basic steps: 

  • Preparation, Detection, and Analysis (Identification)
  • Containment Eradication and Recovery
  • Post-Incident Activity/Lessons Learned

There are many templates available from security vendors on the internet.

An Incident Response Plan should outline:

  • Decision-makers in the different situations
  • Who to notify and when to escalate
  • Who/what skills are needed for resolution, research, and to inform decisions
  • How to define the incident and criteria for decision making
  • Steps to be taken to evaluate and resolve the incident
  • Contact information those that may need to be involved
  • Lessons learned activity structure

Potential partners should be listed in a plan in the event they are needed; those that provide forensics or other specialized services, legal and communications resources may be necessary to determine some next steps. There may also be impacted partners that should be considered. 

Not all Incidents are created equal; an Incident Response Plan must differentiate between response to minor, low impact incidents and more extensive, higher impact ones. It should help the Incident Response Team correctly evaluate the incident and help direct them to take the correct steps. 

Incident Response Plans also need to be accessible. There is no good time for an incident to be identified, so key individuals should have a copy at home that they can reference, not just one on a corporate network that may be compromised or not available.


Why Do I Need an Incident Response Plan? 

None of us can make the best decisions in a stressful situation. Having a solid and tested incident response plan ensures that everyone understands the decisions that need to be made, who needs to be involved, and the criteria for those decisions. It also helps alleviate the stress in a complicated situation.

Every company should have an Incident Response Plan, that way; they are not making it up as they go along. They can focus on resolving the incident rather than figuring out the following steps to take, who should be notified, or what resources have the skills needed.

Reviewing and Testing the Incident Response Plan

Plans should be updated at least annually (or when an extensive reorganization is done) to ensure the correct stakeholders, decision-makers, and resources are identified. Also, plans should be tested annually.

Testing the plan can be led by internal resources or external ones. Many cybersecurity companies provide these services. In the "table-top" plan test, a scenario is derived, the leader will have a "script" of events that could happen along the way. And the team that is generally in the room should follow the plan and work to respond to the incident.

This will point out things that need updating, missing resources, or gaps in the plan. It also helps the Incident Response Team be more prepared for an actual breach, understanding roles and responsibilities, impacts, and the criticality of responding correctly.

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at (952) 836-2770 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.