Definition

incident response plan (IRP)

An incident response plan (IRP) is a set of written instructions for detecting, responding to and limiting the effects of an information security event.

Incident response plans provide instructions for responding to a number of potential scenarios, including data breaches, denial of service/distributed denial of service attacks, firewall breaches, virus or malware outbreaks or insider threats. Without an incident response plan in place, organizations may either not detect the attack in the first place, or not follow proper protocol to contain the threat and recover from it when a breach is detected.

According to the SANS Institute, there are six key phases of an incident response plan:

1. Preparation: Preparing users and IT staff to handle potential incidents should they should arise

2. Identification: Determining whether an event is indeed a security incident

3. Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage

4. Eradication: Finding the root cause of the incident, removing affected systems from the production environment

5. Recovery: Permitting affected systems back into the production environment, ensuring no threat remains

6. Lessons learned: Completing incident documentation, performing analysis to ultimately learn from incident and potentially improve future response efforts

An incident response plan can benefit an enterprise by outlining how to minimize the duration of and damage from a security incident, identifying participating stakeholders, streamlining forensic analysis, hastening recovery time, reducing negative publicity and ultimately increasing the confidence of corporate executives, owners and shareholders. The plan should identify and describe the roles/responsibilities of the incident response team members who are responsible for testing the plan and putting it into action. The plan should also specify the tools, technologies and physical resources that must be in place to recover breached information.

Contributor(s): Sharon Shea
This was last updated in February 2014
Posted by: Margaret Rouse

Email Alerts

Register now to receive SearchSecurity.com-related news, tips and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

More News and Tutorials

Do you have something to add to this definition? Let us know.

Send your comments to techterms@whatis.com

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: