Ask the Expert

Developing an incident response plan

Can you provide a sample incident response plan and offer suggestions as to who should be on an incident response team?

    Requires Free Membership to View

Here is a sample incident response plan. I found this at

The incident response team should have someone from senior management, the network administrator, security officer, possibly a network engineer and/or programmer, legal department, and a liaison for public affairs. The purpose of having an incident response team is to ensure that there is a group of people who are properly skilled, who follow a standard set of procedures, and who are singled out and called upon when this type of event takes place.

(In reality, usually the technical team members are called to the scene to carry out their functions and the other team members may be called to update them on the situation and possibly ask them for direction pertaining to specific issues of the situation.)

The team should have proper reporting procedures established, have the ability to provide prompt reaction, have coordination with law enforcement, and be an important element of the overall security program.

When a suspected crime is reported, the incident response team should follow a set of predetermined steps to ensure both uniformity in approach and that no steps are skipped. First, the incident response team should investigate the report and determine that an actual crime has been committed. If the team determines that a crime has been carried out, senior management should be informed immediately. If the suspect is an employee, a human resources representative must be called right away. The sooner the documenting of events begins, the better, so if someone is able to document the starting time of the crime along with the company employees and resources involved, it would provide a good start. At this point, the company must decide if it wants to conduct its own forensics investigation or call in the big guns. If experts are going to be called in, the system that was attacked should be left alone, to try to preserve as much evidence of the attack as possible.


This was first published in November 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: