Incident Response Plan Template
Organization: [Your Organization Name] Version: 1.0 Last Updated: [Date] Plan Owner: [Name/Title] Next Review Date: [Date -- must be reviewed at least annually]
1. Purpose and Scope
Purpose
This Incident Response Plan (IRP) establishes the procedures and responsibilities for detecting, responding to, containing, and recovering from cybersecurity incidents affecting [Organization Name].
Scope
This plan applies to: - All information systems owned, operated, or managed by [Organization Name] - All employees, contractors, and third-party service providers - All data classifications (public, internal, confidential, restricted) - All facilities and remote work environments
Objectives
- Minimize damage and reduce recovery time and costs
- Preserve evidence for potential legal proceedings
- Comply with regulatory notification requirements
- Identify root causes and implement preventive measures
- Maintain stakeholder confidence through effective communication
2. Incident Response Team
Team Structure
| Role | Primary | Backup | Contact |
|---|---|---|---|
| IR Manager | [Name] | [Name] | [Phone/Email] |
| Lead Analyst | [Name] | [Name] | [Phone/Email] |
| Network Analyst | [Name] | [Name] | [Phone/Email] |
| Systems Analyst | [Name] | [Name] | [Phone/Email] |
| Communications Lead | [Name] | [Name] | [Phone/Email] |
| Legal Counsel | [Name] | [Name] | [Phone/Email] |
| HR Representative | [Name] | [Name] | [Phone/Email] |
| Executive Sponsor | [Name] | [Name] | [Phone/Email] |
External Resources
| Resource | Company | Contact | Retainer? |
|---|---|---|---|
| Forensics Provider | [Company] | [Contact] | Yes/No |
| Legal (Breach Counsel) | [Firm] | [Contact] | Yes/No |
| Cyber Insurance | [Carrier] | [Policy #] | Yes |
| Law Enforcement | [Agency] | [Contact] | N/A |
| PR/Crisis Communications | [Agency] | [Contact] | Yes/No |
3. Incident Classification
Severity Levels
| Level | Name | Description | Response Time | Escalation |
|---|---|---|---|---|
| SEV-1 | Critical | Active breach, ransomware, business-critical systems down | Immediate | Executive, Legal, External IR |
| SEV-2 | High | Confirmed compromise, sensitive data at risk | 1 hour | IR Manager, CISO |
| SEV-3 | Medium | Suspicious activity confirmed, limited scope | 4 hours | IR Team Lead |
| SEV-4 | Low | Security event, no confirmed malicious activity | 24 hours | On-call analyst |
Incident Categories
- [ ] Malware/Ransomware
- [ ] Phishing/Social Engineering
- [ ] Unauthorized Access
- [ ] Data Exfiltration/Breach
- [ ] Insider Threat
- [ ] Denial of Service
- [ ] Web Application Attack
- [ ] Physical Security Breach
- [ ] Supply Chain Compromise
- [ ] Other: ___
4. Detection and Reporting
Detection Sources
- SIEM alerts
- EDR/antivirus alerts
- IDS/IPS alerts
- User reports (via [reporting mechanism])
- Third-party notifications
- Threat intelligence feeds
- Audit log reviews
Reporting Procedures
- Any employee who suspects a security incident must report it immediately to [reporting channel]
- The on-call analyst will perform initial triage within [X] minutes
- If confirmed as an incident, the on-call analyst assigns a severity level and notifies the IR Manager
- The IR Manager activates the appropriate response team based on severity
5. Response Procedures
Phase 1: Containment
Short-term containment (immediate actions): - [ ] Isolate affected systems from the network - [ ] Block known malicious indicators at the perimeter - [ ] Disable compromised accounts - [ ] Preserve volatile evidence (memory dumps, network connections) - [ ] Activate out-of-band communications - [ ] Notify IR team and stakeholders per escalation matrix
Long-term containment (stabilization): - [ ] Move affected systems to isolated analysis network - [ ] Deploy additional monitoring on adjacent systems - [ ] Implement temporary security controls - [ ] Begin detailed forensic investigation - [ ] Document all containment actions with timestamps
Phase 2: Eradication
- [ ] Identify all compromised systems using IOCs from investigation
- [ ] Remove malware, backdoors, and attacker tools
- [ ] Close attack vectors (patch vulnerabilities, revoke credentials)
- [ ] Eliminate persistence mechanisms
- [ ] Verify eradication through comprehensive scanning
- [ ] Update IOCs and detection rules
Phase 3: Recovery
- [ ] Restore systems from verified clean backups
- [ ] Rebuild compromised systems from known-good images
- [ ] Reset all potentially compromised credentials
- [ ] Restore network connectivity in phases
- [ ] Validate system functionality before returning to production
- [ ] Implement enhanced monitoring (minimum 30 days)
- [ ] Document recovery timeline and actions
6. Communication Procedures
See the accompanying Communication Plan for detailed procedures.
Internal Notifications
| Audience | Method | Frequency | Owner |
|---|---|---|---|
| Executive Team | Direct call + email | Every 2 hrs (SEV-1) | IR Manager |
| IT Staff | Secure channel | As needed | Lead Analyst |
| All Employees | Internal comms | Post-containment | Communications Lead |
| Board of Directors | Executive briefing | Within 24 hrs (SEV-1) | Executive Sponsor |
External Notifications
| Audience | Trigger | Timeline | Owner |
|---|---|---|---|
| Cyber Insurance | Any covered incident | Per policy | Legal |
| Law Enforcement | Criminal activity | 24-72 hours | Legal |
| Regulators | Per applicable law | Per regulation | Legal |
| Affected Individuals | PII/PHI breach | Per applicable law | Legal + Communications |
| Business Partners | Shared data affected | Per contract | Account Management |
7. Evidence Handling
Chain of Custody
All evidence must be handled following forensic best practices: 1. Document who collected what, when, where, and how 2. Calculate and record hash values (MD5 + SHA-256) for all evidence 3. Store evidence in a secure, access-controlled location 4. Maintain a detailed evidence log 5. Use write blockers when imaging physical media
Retention Schedule
| Evidence Type | Retention | Storage |
|---|---|---|
| Forensic images | 7 years | Encrypted offline storage |
| Log files | 3 years | Secure archive |
| Incident reports | 7 years | Document management system |
| Communications | 3 years | Secure archive |
8. Post-Incident Review
A formal post-incident review meeting will be held within 5 business days of incident closure.
See post-incident-review.md template for the meeting agenda and report format.
9. Plan Maintenance
| Activity | Frequency | Responsible |
|---|---|---|
| Plan review and update | Annually (minimum) | IR Manager |
| Contact information update | Monthly | IR Manager |
| Tabletop exercise | Quarterly | IR Manager |
| Full simulation | Annually | IR Manager + Executive Sponsor |
| Training for new IRT members | Within 30 days of assignment | IR Manager |
10. Approval
| Name | Title | Signature | Date |
|---|---|---|---|
| [Name] | [CEO/Executive] | ___ | _ |
| [Name] | [CISO/IT Director] | ___ | _ |
| [Name] | [Legal Counsel] | ___ | _ |
Appendices
- Appendix A: Contact List (maintained separately, updated monthly)
- Appendix B: Network Diagrams
- Appendix C: Critical Asset Inventory
- Appendix D: Regulatory Notification Requirements by State
- Appendix E: Incident Response Retainer Details
Template provided by Petronella Technology Group. For professional incident response services, contact us at 919-348-4912.