Incident Response Plan 101: Building It, Templates & Examples

Preparing a Cybersecurity Incident Response Plan: Your Essential Checklist

July 27, 2018


Reading time
6 mins

The purpose of a cybersecurity incident response plan is to help your organization respond to security incidents quickly and efficiently. In the event of a security incident, having a comprehensive incidence response plan in place will help to minimize damage to your organization, as well as mitigate the risks and impacts of a security breach. Using the checklist in this blog will help you to better prepare for a security incident and ensure your incident response plan is complete and up-to-date.

An effective cybersecurity incident response  (IR) plan should codify all the steps required to detect and react to cybersecurity incidents, determine the scope and risks, and provide the steps for a rapid and thorough response. An executable, step-by-step plan will make your response faster and more orderly (versus haphazard or frenzied, which is often the case), and will allow your teams to avoid mistakes that could cause damage to your organization, customers, and brand. Your IR plan should also determine how you will communicate to your stakeholders across all business units and geographies about the risks of an incident, as well as communicating the results of your security response.

Ensure your incident response plan does not have any disastrous gaps

Unfortunately, many organizations don’t have a solid cybersecurity incident response plan in place, or if they do, it is ineffective. A study by McKinsey noted several critical shortfalls commonly encountered in IR plans: “First, the documentation of how to act in the event of a breach may be out-of-date. The documentation is often also generic and not useful for guiding specific activities during a crisis.” McKinsey goes on to review that organizations develop their incident response plans in silos, which limits their effectiveness in managing an incident across the entire organization. Finally, McKinsey’s analysts say decision-making is often based on tribal knowledge and existing relationships, because IR plans aren’t documented properly, and the responses are poorly thought out.

You can address these incident response shortfalls by defining a sound security methodology that is codified in a detailed plan that’s designed for risk identification, decision-making, and escalation paths across the entire organization. (NIST has done a great deal of work to develop a framework for creating a good cybersecurity incident response plan.)

Exabeam has combined our research and experience working with customers around the world, with the best practices from to create an essential IR plan checklist designed to thoroughly prepare your teams for their security incident response.

Additionally, with cyber threats growing in number and sophistication, you should consider creating a computer security incident response team (CSIRT), which is a specialized group that responds to security incidents when they occur. The responsibility for creating and maintaining an incident response plan typically lies with the CSIRT.

Complete your Cybersecurity Incident Response Preparation Checklist

1. ___ Understand your incident response methodology: Clearly laying out a methodology that is aligned to an industry standard, such as NIST, allows new hires or less-senior staff members to understand the process and make your incident response orderly and repeatable. This methodology should include the key stages of incident response, such as:
• Containment – This should occur only if the indications observed during the Identification stage conclusively shows that an incident has or is occurring. The primary goal is to minimize the breadth of the incident and isolate it from causing wide-spread damage.
• Preservation – The process of gathering all the artifacts and details of the breach for further analysis of origin, impact, and intentions.
• Eradication – The stage in the process when infected files are fully deleted or the system(s) is restored to its normal operational state. This may involve replacement of hardware.
• Recovery – This involves returning the systems back to normal.
• Follow-up – This requires performing a post-incident analysis to document exactly what happened and when.

2 __ Understand your stakeholders: Who will be involved in incident response? This can span from IT to security, legal to HR, to an executive sponsor. Each department plays a unique role depending on the incident. Who has the “stop work” authority. Consider the example of a web application layer attack, which was allowing malicious code to reach the back-end systems of a major bank. Who has the power to decide to bring down the bank’s website if the security team has determined such a drastic step is warranted to stop the attack?

3. ___ Understand organizational roles and responsibilities: Who is the incident commander? Who launches the incident response plan?

4. ___ Ensure contact information for each involved primary and secondary stakeholder is recorded in the IR plan: This will overcome any tribal of knowledge and limit the possibility for a single point of failure.

5. ___ Understand how you will work the incident: What systems will the team use to preserve information during the incident? What information must they collect during the incident? Understand how you will contact others during incident: What backup lines of communication do you have? Is it out of band? Is it encrypted? If your data center is compromised, how will you make calls, emails, or work the incident?

6. ___ Understand what an incident is: What defines an incident? What kinds of incidents could occur? When do you launch the incident response plan? What warrants the incident response plan?

7. ___ Understand an incident’s severity: What is the defined criteria that defines the difference between a Critical, High, Medium, or Low severity incident? What is the target response time for each?

8. ___ Map out your incident response workflow between different stakeholders: When is IT involved? When is HR involved? When is legal involved? When are the authorities involved?

9. ___ If third parties are on retainer for incidents, understand when to involve them: This includes incident response retainers as well as cybersecurity insurance providers. Include contact information, pricing information (if applicable), and SLAs in terms of boots on the ground. When is it justified to enlist their support?

Following this checklist will simplify and fill in the gaps of your cybersecurity incident response plan, so in the event of a security incident, your teams can response faster and more efficiently—reducing the threats and impacts to your organization.

Further Reading

Similar Posts

Unmasking Insider Threats Isn’t Just a U.S. Intelligence Agency Problem

Insider Threats: What Banks Don’t Know Can Definitely Hurt Them

The 4 Steps to a Phishing Investigation

Recent Posts

Embracing Change and Growth in Cybersecurity Leadership: Insights from a CISO

Exabeam News Wrap-up – June 1, 2023

Unveiling Anomalies — Strengthening Bank Security With Behavioral Analytics

See How New-Scale SIEM™ Works

New-Scale SIEM lets you:
 • Ingest and monitor data at cloud-scale
 • Baseline normal behavior
 • Automatically score and profile user activity
 • View pre-built incident timelines
 • Use playbooks to make the next right decision

Request a demo of the industry’s most powerful platform for threat detection, investigation, and response (TDIR).

Get a demo today!