An Incident Response Plan (IRP) is exactly what it sounds like. A plan for how to respond to incidents. The key word here is respond. Without a plan, it will be an incident reaction instead of an incident response.
This post is covering IRPs that are specific to cyber security, but an IRP can cover any number of incidents. Sometimes it is included in a Business Continuity Plan (BCP) or a Disaster Recovery Plan (DRP). Other times it is its own plan.
The IRP can be generalized and simply cover “cyber-attacks”, or it can be broken down into different types of threat events such as ransomware, denial of service (DoS) attacks, and data breaches.
Regardless of the scope of the plan, it is important to make one.
All incidents will be different, and it is likely that your plan will not exactly fit your needs in the moment. However, planning offers many benefits.
Think Through Likely Scenarios
Even if the actual situation is different from the plan, the process of planning will help you adapt your plan to the incident. If you need ideas for incidents or threats to include in your IRP, you can refer to your information security risk assessment findings.
Limit the amount of things you will have to “figure out” when responding to an incident.
Who do we need to contact? What is their contact number? Who makes the response decisions? How do we restore from a backup?
These are questions you can answer beforehand.
Limit Required Decisions
You want to limit the number of decisions or fact finding that needs to be done in the event of a cyber-attack. If any decisions can be made beforehand, include them in the plan. For those decisions that cannot be planned ahead of time, you can at least prepare by identifying the decision points and decision-making criteria in the event of a cyber-attack.
Under what circumstances will you disconnect or shut down devices or services?