Revision {{REVISION_NUMBER}}, Released {{RELEASE_DATE}}
Incident Response Plan for {{COMPANY_NAME}}
Author: {{AUTHOR_NAME}}, {{AUTHOR_EMAIL}}
Revision {{REVISION_NUMBER}}, Released {{RELEASE_DATE}}
This incident response plan is based on the concise, directive, specific, flexible, and free plan available on Counteractive Security’s Github and discussed at www.counteractive.net
It was last reviewed on {{REVIEW_DATE}}. It was last tested on {{TEST_DATE}}.
TODO: Customize this plan template for your organization using instructions at https://github.com/counteractive/incident-response-plan-template. For incident response services, or help customizing, implementing, or testing your plan, contact us at contact@counteractive.net or at (888) 925-5765.
Consider impact categories, below (orient), and determine if there is a possible incident (decide):
Initiate a response if there is an incident (act). If in doubt, initiate a response. The incident commander and response team can adjust upon investigation and review.
Assess Functional Impact
What is the direct or likely impact on your mission? (e.g., business operations, employees, customers, users)
Mission/business degradation or failure: incident!
None: assess information impact.
Assess Information Impact
What is the direct or likely impact on your information/data, particularly anything sensitive? (e.g., PII, proprietary, financial, or healthcare data)
Information accessed, taken, changed, or deleted: incident!
None: handle via non-incident channels (e.g., support ticket).
Every team member is empowered to start this process. If you see something, say something.
TODO: Customize categories/severities as necessary. This simple example (incident vs. no incident) is based on impact categories in NIST SP 800-61r2.
Initiate Response
Name the Incident
Create an simple two-word phrase to refer to the incident—a codename—to use for the incident file and channel(s). TODO: Customize incident naming procedure.
Assemble the Response Team
Page the on-duty/on-call Incident Commander. TODO: Add Incident Commander call list or procedure
Do not discuss the incident outside the response team unless cleared by the Incident Commander
Launch and/or join the response chat at {{RESPONSE_CHAT}}. TODO: Add response chat launch procedure.
Launch and/or join the response call at {{RESPONSE_PHONE}} and/or {{RESPONSE_VTC}}. TODO: Add response call launch procedure.
Prefer voice call, chat, and secure file exchange over any other methods.
Do not use primary email if possible. If email is necessary, use sparingly or use {{ALTERNATE_EMAIL}}. Encrypt emails when any participant is outside the {{ORGANIZATION_DOMAIN}} domain. TODO: Add alternative email details and procedure, e.g., on-demand Office 365 or GSuite
Do not use SMS/text to communicate about the incident, unless to tell someone to move to a more secure channel.
Invite on-duty/on-call responders to the response call and response chat.
Invite the security team. TODO: Add security team contact list or procedure.
Invite a SME for affected teams and systems. TODO: Add team SME contact list or procedure.
Invite executive stakeholders and legal counsel at earliest opportunity, but prioritize operational responders. TODO: Add executive stakeholder contact list or procedure.
OPTIONAL: Establish an in-person collaboration room (“war room”) for complex or severe incidents. TODO: Add collaboration room procedure.
Follow instructions from the Incident Commander. If the on-duty/on-call Incident Commander does not join the call within {{INCIDENT_COMMANDER_RESPONSE_SLA}} and you are a trained incident commander, take command of the call.
IC: [Asks questions to understand situation, symptoms, scope, vector, impact, and timeline from the incident reporter, applicable SMEs for systems and business units]
SMEs: [Brief answers to IC’s questions]
IC:[If this is an incident]:
At this time, the incident summary is as follows: [reiterates summary]. The Investigation team will be led by [NAME], the Remediation team will be led by [NAME], and the Communication team will be led by [NAME]. They will coordinate team membership and report to me. SMEs, please report to your appropriate team leader.
What investigation, remediation, or communication steps have already been taken? [this should be a short list, but needs to come out now]
This call and chat will remain up and available until incident closure, please use it for all incident related communications. Provide real-time status updates in the chat, if possible. Are there any questions or remaining inputs? [answers questions]
Team leaders, please proceed with your planned actions. We will reconvene at [UPDATE_TIME] to discuss the status. Thank you.
IC: [If this is not an incident]: At this time, these facts do not rise to the level of an incident. I will coordinate directly with the incident reporter for follow-on action