7 Tips for Building an Effective Incident Response Plan



As more companies begin to accept the inevitability of data breaches, it is critical to be prepare for when a breach occurs. Use these seven tips to build an effective incident response plan for timely recovery.

1. Form an incident response team.

Incident response teams analyze reports of security breaches and threat intelligence in order to develop the organization’s incident response strategy. There are various types of incident response teams that can be composed internally, externally, or a mixture of both.


Data breaches have become an inevitable part of conducting business for companies across all industry sectors. In an effort to minimize damage incurred while also reducing costs and recovery time, it is important for organizations to have incident response plans in place. Incident response plans provide step by step procedures for handling security incidents, allowing organizations to react quickly and effectively.

Here are 7 tips to help your organization develop and implement an incident response plan:

1. Form an incident response team.

Incident response teams analyze reports of security breaches and threat intelligence in order to develop the organization’s incident response strategy. There are various types of incident response teams that can be composed internally, externally, or a mixture of both.

2. Conduct an incident threat analysis.

Determine how your organization will define a security incident. For example, is an attempted attack an incident, or does the attacker need to be successful to warrant response? Once defined, conduct an incident threat analysis by discovering and documenting the threats, risks, and potential failures impacting your organization’s current security measures.

3. Create quick-response guidelines for different scenarios.

Using your incident threat analysis, create quick-response guides for the scenarios you found to most likely to occur and make them readily available to IR stakeholders. This will allow you to act immediately on the common incidents that threaten your organization. In addition, create clear processes for making critical incident response decisions and outline who will be responsible for these decisions on a case by case basis.

4. Outline a plan for external notification.

Communication with external parties is key in any incident response plan, so be sure to document procedures for alerting third parties. When an incident occurs, law enforcement and other key stakeholders should be notified. It is also beneficial to keep in touch with external breach remediation providers and other experts in the field to receive further guidance for handling the incident.

5. Communicate your plan to employees.

Employees are an important component of incident response planning. All employees should be aware of your organization’s incident response plan and have access to it at all times. Moreover, employees should understand their role if an incident were to occur and receive training in order to properly carry out their responsibilities.

6. Train, practice, and repeat.

Just like any other process, incident response plans require practice and training in order to be effective. Running simulated breaches and responses for various scenarios will allow your organization to fine tune its incident response plan, improving readiness for when the real deal occurs.

7. Learn from past mistakes.

This is perhaps the most important driver of successful incident response. Meet with all parties that handled a previous incident to discuss what went well and what needs to be improved. Using collected incident data, analyze factors such as the cost of the incident, incident timeline, and overall effectiveness of your plan. Creating an incident response checklist is helpful for seeing where your plan falls short.

Brandon Vasciannie

Please post your comments here

Dan Geer: The 5 Myths Holding Your Security Program Back

Use this eBook to find out if any of these myths are hurting your security program.

Download now

Related Articles
Creating an Incident Response Classification Framework

Part 4 of our Field Guide to Incident Response series outlines a two-tiered framework for classifying security incidents to enable more efficient incident prioritization and response. This video clip is taken from our webinar, Incident Responder's Field Guide - Lessons from a Fortune 100 Incident Responder. Feel free to watch the full webinar here.

Using Existing Tools to Facilitate Incident Response

Part 7 of our Field Guide to Incident Response series offers tips for using your existing security tools to facilitate incident response efforts.

The Five Steps of Incident Response

Part 5 of our Field Guide to Incident Response Series outlines 5 steps that companies should follow in their incident response efforts.