5 Things You Must Add to Your Incident Response Plan

Incident response plan is a process designed for detecting, identifying, and negating security incidents. An incident is any attempted or successful attack as well as any breach of security policy, compliance regulation, or the law.

Fast incident response can help you prevent the loss of assets, minimize attack damage, and reduce downtime of affected systems. Without an incident response, attacks are likely to turn into expensive data breaches or to otherwise go unnoticed until it’s too late.

When implemented correctly, the incident response decreases your risk and can help you prevent incidents in the first place. In this article, you will learn about the importance of an incident response plan (IRP), and what are the five most important components of any IRP.

Reasons You Must Put Together an Incident Response Plan

An incident response plan (IRP) is a set of documented policies and plans, outlining how the incident response should occur. It includes the roles and responsibilities of team members and explicitly outlines steps to be taken to detect and respond to incidents.

IRPs inform relevant stakeholders of your plans and help ensure coordination and collaboration when an attack is suspected. Stakeholders may include legal advisors, executives, PR staff, security and operations teams, and board members.

There are many reasons why you must have a strong incident response plan in place. Here are the most compelling:

1) Emergency preparation

Fast response in high-stress situations depends on planning and training. To ensure a smooth and successful response, you need to have a plan in place.

2) Standardization

Helps responders prioritize their time and ensure that actions aren’t conflicting. Additionally, plans outline clear response actions that can be followed by any team member, eliminating response bottlenecks.

3) Coordination

Helps ensure that responders are working in sync and not taking actions that impede others or the response process.

4) Vulnerability exposure

The preparation stage of creating an IRP helps expose vulnerabilities in your systems, solutions, and policies. It also requires you to address these gaps before an incident occurs.

5) Knowledge preservation

Ensures that knowledge of response practices and techniques is retained over time. The feedback loops inherent in IRPs also ensure that response knowledge is honed with each use of the plan.

6) Practice

When used for practice drills, IRPs help cement responsibilities and actions in responders. When responders are already familiar with their expected actions and duties, they can respond more quickly and calmly during a real incident.

7) Documentation and accountability

IRPs typically include outlines for documentation and an evidence chain of custody. These ensure that the response can be reviewed afterward, facilitate prosecution if the attacker is caught, and are needed to meet compliance standards.


Good Read: CIS Critical Security Controls for Effective Cyber Defense


5 Things You Must Add to Your Incident Response Plan

What all goes into your incident response plan depends on the type of systems or data you are protecting, and who your responders are. Regardless of these factors, however, there are certain things you should always add.

1. Communications List

This list helps you define how your team communicates during a response as well as who is responsible for what communications. Clearly laying out roles and responsibilities with this list can help you ensure that information flows smoothly and that all stakeholders are notified appropriately.

In this list, you should include contact information, timing and disclosure limits, and what to do if someone is not available. Creating response templates can also help ensure that communications are clear and standardized.


2. Playbooks

Playbooks are documents outlining processes and procedures. You can use playbooks as instruction manuals during your response to help team members reliably perform technical tasks. For example, how to decommission compromised machines while preserving forensic data, or how to restore backups from the cloud.

You can integrate playbooks with automation tools, enabling a responder to simply start a process from a playbook. You can also use playbooks to help guide responders who are temporarily filling the shoes of an absent or otherwise unavailable team member.


3. Practice

Once your plan is developed, you need to schedule a time to practice your responses. The most effective way to do this is with unplanned drills, which help simulate the stress of a real incident. These drills should include all relevant parties, including information security and technology teams, and public relations, legal, and senior leadership responders.

As part of this practice, you might also want to reach out to third-party players, to reinforce communication lines and maintain partnerships. For example, representatives of vital vendors or law enforcement contacts.

Practice runs can help you build and grow relationships between team members with otherwise separate business functions. These relationships can foster trust between team members and facilitate cooperation and collaboration. The practice also helps responders familiarize themselves with their responsibilities. Having performed processes in practice can help reduce stress and mistakes during actual responses.


4. Forensic Analysis Procedures

Forensic analysis procedures outline how evidence should be identified, classified, and handled. These procedures should also contain information about likely sources of evidence, who has access permissions to sources, and how to ensure a chain of custody. Evidence collection and forensic analysis need to occur before, during, and after responses.

If you are relying on third-parties to perform forensic tasks, make sure that you have the proper roles and user permissions established for them. You should also make sure that you define how to contact them when needed and what kind of response time you should expect.


5. Retrospectives

Clearly defining a retrospective phase of your plan helps ensure that feedback is actually reviewed and incorporated. If you do not make the response review part of the official plan, it is likely to be put off or overlooked as team members try to make up for time lost to the response.

Create a structured review process that is short and to the point. This process should include a review of what went well, what didn’t go well, any bottlenecks your team experienced, and what feedback they have for improving future processes. You can then apply this information to refining your procedures and replacing faulty processes or tooling.

Reviewing after each response helps you ensure that the maximum number of situations are planned for. It also ensures that your plan stays relevant and up to date.


Incident response is a crucial element of your cybersecurity efforts. The more organized your response methodology is, the better you’ll be able to take charge during incidents. Of course, you can’t plan for any and every event, and you are bound to encounter new hacking techniques.

However, you can prepare for the unknown by expecting it, and practice in advance. Once a scenario actually happens, even if it’s something new, you’ll be prepared with an appropriate response.


Published on Mar 4, 2020
Gilad David Maayan
Written by Gilad David Maayan
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now