The 6-Step Incident Response Plan(IRP) Roadmap

Connect--But, be very careful

A Quick-Start Guide


Use the Cyber Incident Life Cycle to guide the company’s operational incident-handling artifact/procedure.  This should be an annex to the System Security Plan (SSP)

Figure 1. Cyber-Incident Life Cycle

Additionally, the PPT “Model” can be used to guide and formulate the IR Pan annex.  A suggested approach is described below, and includes the kinds of questions that should be answered to demonstrate best how best to formulate a good IRP.

Figure 2. The P-P-T Triangle/Triad

1. Preparation

  • People: Who will perform the action or activity? Training needed? Skill sets?
  • Process: Training policies for cybersecurity and IT professionals to support the IRP.
  • Technology: What technology already exists to support IR?  What technologies are needed?

2. Detection

  • People: Are IT staff able to use audit tools properly to detect intrusions?
  • Process: What are ‘best practice’ approaches to detect intrusions?  Monitor firewall logs? Monitor user activity?
  • Technology: Is the technology’s data library current? Are automatic updates enabled?

3. Analysis

  • People: Are IT staff capable to do the analysis required? Can they determine false positive activity?
  • Process: What is the process leadership wants to get effective and actionable data from IT staff? What are the demands for immediate and final reporting timelines?
  • Technology: Are the right tools on-site? Can open source/web solutions useful? Can DOD or DHS provide helpful data feeds to remain current of threats?

4. Containment

  • People: Can IT staff stop the ongoing attack? Do they require additional coding scripting skills to build/update firewall policies?
  • Process: Is the containment process effective? Is allowing the attack to continue to identify the threat entity/location a good idea (to support law enforcement)?
  • Technology: Can software tools quarantine and stop a malware attack? Is shutting down all external connections a good immediate solution (at the firewall)?

5. Recovery

  • People: Can the IT staff recover backup data files and media?
  • Process: What is the order of recovery?  Bring up internal databases and communications first and external servers (email and web site) be reestablished later? What are the recovery time standards for the company to regain business operations? What is acceptable?  What is not acceptable?
  • Technology: Are there adequate numbers of back up devices for critical systems?  Can third-party service providers assist in recovering lost or damaged data?

6. User Response

  • People: Can employees safely return to an operational state?
  • Process: Does the company need to control access to services to select individuals first (e.g., finance, logistics, etc.)
  • Technology: Can technology resolve immediate problems from the recovery vice the employee such as, for example, re-selecting printers and other data connections?


Blockchain Certification