Incident Response Plan for {{COMPANY_NAME}}

Author: {{AUTHOR_NAME}}, {{AUTHOR_EMAIL}}

Revision {{REVISION_NUMBER}}, Released {{RELEASE_DATE}}

Incident Response Plan for {{COMPANY_NAME}}

Author: {{AUTHOR_NAME}}, {{AUTHOR_EMAIL}}

Revision {{REVISION_NUMBER}}, Released {{RELEASE_DATE}}

This incident response plan is based on the concise, directive, specific, flexible, and free plan available on Counteractive Security’s Github and discussed at www.counteractive.net

It was last reviewed on {{REVIEW_DATE}}. It was last tested on {{TEST_DATE}}.

TODO: Customize this plan template for your organization using instructions at https://github.com/counteractive/incident-response-plan-template. For incident response services, or help customizing, implementing, or testing your plan, contact us at contact@counteractive.net or at (888) 925-5765.

Assess

  1. Stay calm and professional.
  2. Gather pertinent information, e.g., alarms, events, data, assumptions, intuitions (observe).
  3. Consider impact categories, below (orient), and determine if there is a possible incident (decide):
  4. Initiate a response if there is an incident (act). If in doubt, initiate a response. The incident commander and response team can adjust upon investigation and review.

Assess Functional Impact

What is the direct or likely impact on your mission? (e.g., business operations, employees, customers, users)

Assess Information Impact

What is the direct or likely impact on your information/data, particularly anything sensitive? (e.g., PII, proprietary, financial, or healthcare data)

Every team member is empowered to start this process. If you see something, say something.

TODO: Customize categories/severities as necessary. This simple example (incident vs. no incident) is based on impact categories in NIST SP 800-61r2.

Initiate Response

Name the Incident

Create an simple two-word phrase to refer to the incident—a codename—to use for the incident file and channel(s). TODO: Customize incident naming procedure.

Assemble the Response Team

  1. Page the on-duty/on-call Incident Commander. TODO: Add Incident Commander call list or procedure
  2. Do not discuss the incident outside the response team unless cleared by the Incident Commander
  3. Launch and/or join the response chat at {{RESPONSE_CHAT}}. TODO: Add response chat launch procedure.
  4. Launch and/or join the response call at {{RESPONSE_PHONE}} and/or {{RESPONSE_VTC}}. TODO: Add response call launch procedure.
  5. Prefer voice call, chat, and secure file exchange over any other methods.
  6. Do not use primary email if possible. If email is necessary, use sparingly or use {{ALTERNATE_EMAIL}}. Encrypt emails when any participant is outside the {{ORGANIZATION_DOMAIN}} domain. TODO: Add alternative email details and procedure, e.g., on-demand Office 365 or GSuite
  7. Do not use SMS/text to communicate about the incident, unless to tell someone to move to a more secure channel.
  8. Invite on-duty/on-call responders to the response call and response chat.
  9. OPTIONAL: Establish an in-person collaboration room (“war room”) for complex or severe incidents. TODO: Add collaboration room procedure.

Reference: Response Team Structure

TODO: Modify role structure as necessary.

Reference: Response Team Contact Information

Response Team Role Contact Information
Incident Commander pager {{INCIDENT_COMMANDER_PAGER_NUMBER}}
Incident Commander pager url {{INCIDENT_COMMANDER_PAGER_URL}}
Incident Commander roster {{INCIDENT_COMMANDER_ROSTER}}
Security team roster {{SECURITY_TEAM_ROSTER}}
Team SME roster {{TEAM_SME_ROSTER}}
Executive roster {{EXECUTIVE_ROSTER}}

TODO: Customize response team contact information. Include contact procedures in rosters, which can be static or dynamic.

Establish Battle Rhythm

Conduct Initial Response Call

  1. Conduct initial call using the initial response call structure
  2. Follow instructions from the Incident Commander. If the on-duty/on-call Incident Commander does not join the call within {{INCIDENT_COMMANDER_RESPONSE_SLA}} and you are a trained incident commander, take command of the call.
  3. Follow the instructions for your role.
  4. Follow the call and chat, and comment as appropriate. If you are not a SME, filter input through the SME for your team if possible.
  5. Keep the call and chat active throughout the incident for event-driven communication.
  6. Schedule updates every {{UPDATE_FREQUENCY}} on the active bridge.

Reference: Initial Response Call Structure