Skip to content

cydea/ir-plan

Repository files navigation

Incident Response Plan

Cyber security incidents can be high-pressure situations with serious consequences for both businesses and people alike. That stress can compromise decision making (especially when tired!) and a good cyber incident response plan helps organisations to get their response right.

This project contains a template cyber IR plan for you to pick up and tailor to your organisation.

Details of our other open projects can be found at https://cydea.tools.

Why?

While working with a client on improving their blue team and incident response capability they mentioned that they hadn’t been able to find an example of a good cyber incident response plan.

That came as a bit of a surprise, but they weren’t wrong. There are ‘how-tos,’ some thinly veiled vendor pitches, and plenty of other marketing materials. Some of it is old. Lots talk at a high level about the ‘phases’ of response. Many more are just ‘plans for a plan.’

There were a few notable exceptions - for example, the NCSC incident management collection - though we struck out looking for a structured document to use as a base.

Given how critical responding to security incidents is we were surprised to not find a decent template to start from. So we set about researching, distilling and compiling all the best practice, augmented from our experience responding to some of the highest-profile cyber events in recent years.

It's now available for you to pick up and make your own.

Usage

Make a copy of the IR Plan Template, or a copy of the Google Docs version and then spend some time on...

  • Who your key contacts are, and who deputises for them
  • Tailoring the severity levels and escalation criteria
  • Choosing the categories that you’ll assign to incidents

Then discuss it with your team and senior management, agree this is how you'll operate, and then try running a few exercises to test everyone knows how it works!

There is also a PDF version of the template available.

Contributing

We welcome contributions and especially want to thank Exercise3, Phil Huggins, and a few other contributors from leading cyber security firms and government agencies that wish to remain nameless for their work on v1.0 of these resources.

If you have a suggestion or improvement then please submit an issue or new pull request.

License

This resource is freely available under the Creative Commons Attribution 4.0 International (CC-BY-4.0), so please use, share, modify and improve it!