Incident Response Plan Template

Define roles and responsibilities: Incident Commander, Technical Lead, Communications Lead, Legal Liaison, and Executive Sponsor.

Document primary and backup contacts for each role, including after-hours contact information.

Establish escalation procedures with clear thresholds for escalating to senior leadership and legal counsel.

Define the authority levels for each role (e.g., who can authorize system shutdowns, who communicates with regulators).

Create a contact directory including internal teams, external vendors, legal counsel, insurance carriers, and regulatory contacts.

Establish primary and backup communication channels (e.g., out-of-band phone bridge, secure messaging app).

Prepare notification templates for employees, customers, partners, and regulators.

Define media response protocols and designate authorized spokespeople.

Maintain a current inventory of all systems, networks, and data assets.

Ensure forensic tools and jump kits are available and regularly updated.

Document network diagrams, system configurations, and baseline data.

Maintain offline copies of the IR plan, contact lists, and recovery procedures.

Verify that logging is enabled on all critical systems and that logs are centrally collected.

Conduct tabletop exercises at least annually with the full incident response team.

Run technical exercises (red team/blue team or purple team) to test detection and response capabilities.

Provide annual security awareness training covering incident reporting for all employees.

Document lessons learned from exercises and update the plan accordingly.

Security Information and Event Management (SIEM) alerts and correlation rules.

Endpoint Detection and Response (EDR) alerts from managed endpoints.

Intrusion Detection/Prevention System (IDS/IPS) alerts.

User reports via help desk, email, or phone.

Third-party notifications from ISPs, law enforcement, or threat intelligence feeds.

Automated vulnerability scanning and penetration testing results.

Validate the alert: confirm it is not a false positive by correlating with additional data sources.

Determine the attack vector: how did the attacker gain initial access?

Identify affected systems, users, and data by reviewing logs, network traffic, and system artifacts.

Assess the scope of compromise: is the attacker still active? Are additional systems at risk?

Determine whether Controlled Unclassified Information (CUI), Personally Identifiable Information (PII), or other regulated data is involved.

Critical (Severity 1): Active data exfiltration, ransomware deployment, or compromise of critical infrastructure. Immediate response required.

High (Severity 2): Confirmed compromise of systems containing sensitive data. Elevated response required within 1 hour.

Medium (Severity 3): Suspected compromise requiring investigation. Response within 4 hours.

Low (Severity 4): Security event requiring review but no confirmed compromise. Response within 24 hours.

Assign a unique incident tracking number.

Record the date and time of detection, the detection source, and the analyst who confirmed the incident.

Maintain a chronological incident log documenting all actions taken, decisions made, and evidence collected.

Preserve original evidence and create working copies for analysis.

Isolate affected systems from the network (disable network interfaces or move to quarantine VLAN).

Block malicious IP addresses, domains, and URLs at the firewall and web proxy.

Disable compromised user accounts and revoke active sessions.

Implement emergency Conditional Access policies to block access from affected locations or devices.

Preserve volatile evidence (memory dumps, running processes) before making changes.

Patch the vulnerability that was exploited for initial access.

Rebuild compromised systems from known-good images rather than attempting to clean them.

Implement additional monitoring on containment boundaries to detect breakout attempts.

Reset credentials for all accounts that may have been compromised, starting with privileged accounts.

Review and revoke any unauthorized persistent access mechanisms (scheduled tasks, startup scripts, registry modifications).

Remove malware, backdoors, and unauthorized tools from all affected systems.

Delete unauthorized user accounts, API keys, and service principals created by the attacker.

Remove malicious scheduled tasks, scripts, and registry entries.

Scan the entire environment for indicators of compromise (IOCs) to identify systems that may have been missed during initial analysis.

Verify that all persistence mechanisms have been identified and removed.

Patch or mitigate the vulnerability that enabled the initial compromise.

Review and harden configurations on affected systems and similar systems.

Update firewall rules, access control lists, and security group policies.

Rotate all potentially compromised certificates, API keys, and secrets.

Restore systems from verified clean backups or rebuild from known-good images.

Verify the integrity of restored data by comparing checksums against known-good copies.

Re-enable network connectivity for restored systems in a staged manner.

Monitor restored systems closely for signs of re-infection or continued compromise.

Conduct vulnerability scans on restored systems before returning them to production.

Verify that all security controls are functioning correctly (antivirus, EDR, logging).

Increase monitoring sensitivity for a minimum of 30 days following recovery.

Confirm that business operations have resumed normally and users can access required resources.

Document the recovery timeline and any data that could not be recovered.

Conduct a post-incident review meeting within 5 business days of closing the incident.

Include all IRT members, affected business units, and relevant third parties.

Review the incident timeline: What happened? When was it detected? How long did containment take?

Identify what worked well and what needs improvement in the response process.

Document root cause analysis findings.

Create a prioritized list of improvement actions with assigned owners and target completion dates.

Update the incident response plan based on findings from the review.

Update detection rules, monitoring alerts, and response playbooks.

Identify training needs and schedule additional exercises if gaps were found in team readiness.

Share sanitized lessons learned with the broader organization to improve security awareness.

Update the risk register to reflect any newly identified risks or changes in risk ratings.

Determine whether the incident triggers mandatory reporting requirements (e.g., CMMC, HIPAA, state breach notification laws).

File required regulatory notifications within the mandated timeframes.

Coordinate with legal counsel on any litigation holds, insurance claims, or law enforcement referrals.

Retain all incident documentation and evidence for the required retention period.