Cybersecurity Committee: Develop a Comprehensive Incident Response Plan to Carry Out in the Event of an Attack

April 15, 2021

For a more visual presentation, download the Cybersecurity Committee's Step Six infographic here. Otherwise, read the blog below!

An incident response plan provides a means to identify, eliminate and recover from cybersecurity events. Following the plan, a group can quickly respond to a security event.

A sound incident response plan requires a team that will carry it out. This team is usually called the Computer Security Incident Response Team (CSIRT). The CSIRT is a group that collect, analyze and act upon information associated with an event. The CSIRT is also responsible for communicating with other organizational stakeholders and external parties.

Having an incident response plan (IRP) helps an organization prepare for and reduce the impact of security incidents. They can also have positive effects on an organization such as data protection, reinforcement of reputation and reduces potential costs.

According to a 2019 study by IBM, the average cost of a breach is $3.86 million and take an average of 280 days to identify and contain.

The SANS Institute’s Incident Handlers Handbook defines six steps that should be taken by the CSIRT to effectively handle security incidents. A good IRP should address each of these steps.

  1. Preparation

This step includes defining and/or reviewing the security plan that is the basis of the IRP. A risk assessment should be performed, and security issues prioritized against the most important assets. Questions that need to be answered include: How does the organization define a security incident? What key stakeholders are needed to respond to a security incident? Should the IRP include the entire organization, a business unit or a department?

The scope of the plan will dictate who should be involved.

The members of the CSIRT as well as key stakeholders that will be involved with the IRP should be identified and trained. The stakeholders may include legal, public relations, human resources, senior management, physical security team, vendors, key business partners and senior management. The roles of each stakeholder also should be defined.

A communication plan should be created and document the roles, responsibilities and processes that will be used as part of the IRP.

Within the preparation phase, the developed plan should be something that will be used. The applicability of the plan can be explored with the stakeholders to see if needed scenarios are included in the plan.

  1. Identification

The team should be able to effectively detect or identify events within the environment that are outside normal operation.

When a potential incident is discovered, the appropriate stakeholders should be notified. The IRP should include a communication plan and escalation matrix. Who should be told what and when is important to the overall management of an event.

The incident should also be analyzed. The analysis should address the “who, what, where, why and how” to provide additional information in addressing the root cause and later steps within the IRP.

Where possible, “playbooks” should be created to follow during an event. Playbooks could be developed to address malware, denial of service, unauthorized access, etc. Playbooks would include how an incident is detected, what stakeholders would be involved, standard response tasks, and when the incident could be resolved.

  1. Containment

The immediate goal after discovering the incident should be to contain it and prevent additional damage.

This could include steps such as isolating the affected network or servers and applying fixes and/or patches.

  1. Eradication

The CSIRT should identify the root cause of the event, remove the threat, and work to prevent similar attacks in the future.

  1. Recovery

In the recovery phase, the team will bring affected systems back into production while monitoring to prevent another incident from occurring. The recovery point and testing processes as well as monitoring the systems will all be important steps.

  1. Lessons Learned / Post-Incident Handling

In the final phase, the event should be reviewed and documentation of the full scope of the event, how it was contained and eradicated, steps that were effective and what could be improved in the future so that the group can improve their response.

Incident Response Plan Examples

It may be useful to be able to reference an actual IRP when working to develop one for an organization. Some examples or sections may not be applicable in all cases but can be used as a start.


Thycotic   (requires registration)

Sysnet  (requires registration)

California Government Department of Technology

Carnegie Mellon University

Tulane University

Write State University

Incident Response Plan 101: How to Build One, Templates and Examples

SANS Incident Handler's Handbook

Cost of a Data Breach Study | IBM

10 Steps to Develop an Incident Response Plan You’ll ACTUALLY Use

To learn more from the PSA Cybersecurity Committee, visit!