Incident Response Plan for {{COMPANY_NAME}}

Author: {{AUTHOR_NAME}}, {{AUTHOR_EMAIL}}

Revision {{REVISION_NUMBER}}, Released {{RELEASE_DATE}}

This incident response plan is based on the concise, directive, specific, flexible, and free plan available on Counteractive Security’s Github and discussed at www.counteractive.net

It was last reviewed on {{REVIEW_DATE}}. It was last tested on {{TEST_DATE}}.

TODO: Customize this plan template for your organization using instructions at https://github.com/counteractive/incident-response-plan-template. For incident response services, or help customizing, implementing, or testing your plan, contact us at contact@counteractive.net or at (888) 925-5765.

Assess

1. Stay calm and professional.
2. Gather pertinent information, e.g., alarms, events, data, assumptions, intuitions (observe).
3. Consider impact categories, below (orient), and determine if there is a possible incident (decide):
4. Initiate a response if there is an incident (act). If in doubt, initiate a response. The incident commander and response team can adjust upon investigation and review.

Assess Functional Impact

What is the direct or likely impact on your mission? (e.g., business operations, employees, customers, users)

• Mission/business degradation or failure: incident!
• None: assess information impact.

Assess Information Impact

What is the direct or likely impact on your information/data, particularly anything sensitive? (e.g., PII, proprietary, financial, or healthcare data)

• Information accessed, taken, changed, or deleted: incident!
• None: handle via non-incident channels (e.g., support ticket).

Every team member is empowered to start this process. If you see something, say something.

TODO: Customize categories/severities as necessary. This simple example (incident vs. no incident) is based on impact categories in NIST SP 800-61r2.

Initiate Response

Name the Incident

Create an simple two-word phrase to refer to the incident—a codename—to use for the incident file and channel(s). TODO: Customize incident naming procedure.

Assemble the Response Team

1. Page the on-duty/on-call Incident Commander. TODO: Add Incident Commander call list or procedure
2. Do not discuss the incident outside the response team unless cleared by the Incident Commander
3. Launch and/or join the response chat at {{RESPONSE_CHAT}}. TODO: Add response chat launch procedure.
4. Launch and/or join the response call at {{RESPONSE_PHONE}} and/or {{RESPONSE_VTC}}. TODO: Add response call launch procedure.
5. Prefer voice call, chat, and secure file exchange over any other methods.
6. Do not use primary email if possible. If email is necessary, use sparingly or use {{ALTERNATE_EMAIL}}. Encrypt emails when any participant is outside the {{ORGANIZATION_DOMAIN}} domain. TODO: Add alternative email details and procedure, e.g., on-demand Office 365 or GSuite
7. Do not use SMS/text to communicate about the incident, unless to tell someone to move to a more secure channel.
8. Invite on-duty/on-call responders to the response call and response chat.
   • Invite the security team. TODO: Add security team contact list or procedure.
   • Invite a SME for affected teams and systems. TODO: Add team SME contact list or procedure.
   • Invite executive stakeholders and legal counsel at earliest opportunity, but prioritize operational responders. TODO: Add executive stakeholder contact list or procedure.
9. OPTIONAL: Establish an in-person collaboration room (“war room”) for complex or severe incidents. TODO: Add collaboration room procedure.

Reference: Response Team Structure

• Command Team
  • Incident Commander
  • Deputy Incident Commander
  • Scribe
• Liaison Team
  • Internal Liaison
  • External Liaison
• Operations Team
  • Subject Matter Experts (SMEs) for Systems
  • SMEs for Teams/Business Units
  • SMEs for Executive Functions (e.g., Legal, HR, Finance)

TODO: Modify role structure as necessary.

Reference: Response Team Contact Information

TODO: Customize response team contact information. Include contact procedures in rosters, which can be static or dynamic.

Establish Battle Rhythm

Conduct Initial Response Call

1. Conduct initial call using the initial response call structure
2. Follow instructions from the Incident Commander. If the on-duty/on-call Incident Commander does not join the call within {{INCIDENT_COMMANDER_RESPONSE_SLA}} and you are a trained incident commander, take command of the call.
3. Follow the instructions for your role.
4. Follow the call and chat, and comment as appropriate. If you are not a SME, filter input through the SME for your team if possible.
5. Keep the call and chat active throughout the incident for event-driven communication.
6. Schedule updates every {{UPDATE_FREQUENCY}} on the active bridge.

Reference: Initial Response Call Structure

• INCIDENT COMMANDER (IC): My name is [NAME], I am the Incident Commander. I have designated [NAME] as Deputy, and [NAME] as Scribe. Who is on the call?
• SCRIBE: [Takes attendance]
• IC: [If missing key personnel] Deputy, please page [MISSING PERSONNEL].
• IC: [Asks questions to understand situation, symptoms, scope, vector, impact, and timeline from the incident reporter, applicable SMEs for systems and business units]
• SMEs: [Brief answers to IC’s questions]
• IC:[If this is an incident]:
  • At this time, the incident summary is as follows: [reiterates summary]. The Investigation team will be led by [NAME], the Remediation team will be led by [NAME], and the Communication team will be led by [NAME]. They will coordinate team membership and report to me. SMEs, please report to your appropriate team leader.
  • What investigation, remediation, or communication steps have already been taken? [this should be a short list, but needs to come out now]
  • This call and chat will remain up and available until incident closure, please use it for all incident related communications. Provide real-time status updates in the chat, if possible. Are there any questions or remaining inputs? [answers questions]
  • Team leaders, please proceed with your planned actions. We will reconvene at [UPDATE_TIME] to discuss the status. Thank you.
• IC: [If this is not an incident]: At this time, these facts do not rise to the level of an incident. I will coordinate directly with the incident reporter for follow-on action