An incident response plan (IRP) is a set of written instructions for detecting, responding to and limiting the effects of an information security event.
Incident response plans provide instructions for responding to a number of potential scenarios, including data breaches, denial of service/distributed denial of service attacks, firewall breaches, virus or malware outbreaks or insider threats. Without an incident response plan in place, organizations may either not detect the attack in the first place, or not follow proper protocol to contain the threat and recover from it when a breach is detected.
According to the SANS Institute, there are six key phases of an incident response plan:
1. Preparation: Preparing users and IT staff to handle potential incidents should they should arise
2. Identification: Determining whether an event is indeed a security incident
3. Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage
4. Eradication: Finding the root cause of the incident, removing affected systems from the production environment
5. Recovery: Permitting affected systems back into the production environment, ensuring no threat remains
6. Lessons learned: Completing incident documentation, performing analysis to ultimately learn from incident and potentially improve future response efforts
An incident response plan can benefit an enterprise by outlining how to minimize the duration of and damage from a security incident, identifying participating stakeholders, streamlining forensic analysis, hastening recovery time, reducing negative publicity and ultimately increasing the confidence of corporate executives, owners and shareholders. The plan should identify and describe the roles/responsibilities of the incident response team members who are responsible for testing the plan and putting it into action. The plan should also specify the tools, technologies and physical resources that must be in place to recover breached information.