A cybersecurity incident response plan checklist guides preparation, detection, containment, eradication, recovery, and post-incident review, focusing on defined roles, communication, evidence preservation, legal compliance, and regular testing to minimize damage from breaches, covering key areas like governance, HR, finance, and external comms. Key steps include defining incidents, building an IRT, securing tools, practicing drills, and documenting everything for continuous improvement.
Preparation
- Risk Assessment: Identify critical assets and potential threats (e.g., ransomware, phishing).
- Team & Roles: Establish a dedicated Incident Response Team (IRT), an incident manager, backups, and define responsibilities (legal, comms, IT, HR).
- Tools & Resources: Inventory assets, secure out-of-band communication channels (for when primary systems are down).
- Playbooks: Develop specific procedures for different incident types (e.g., data breach, DDoS).
Detection & Analysis
- Monitor & Alert: Set up systems to detect anomalies.
- Incident Log: Start an official, timestamped event log immediately.
- Confirm & Classify: Verify the incident and determine severity/priority.
Containment, Eradication & Recovery (The NIST/SANS Phases)
- Contain: Isolate affected systems to stop the spread (e.g., disconnect from network).
- Eradicate: Remove the threat (e.g., malware, unauthorized access).
- Recover: Restore systems and data from clean backups; return to normal operations.
Post-Incident Activity (Lessons Learned)
- Review & Analyse: Conduct a thorough post-mortem to understand the root cause.
- Document: Update the plan, procedures, and tools based on findings.
- Test: Regularly test and refine the plan (tabletop exercises, simulations).
Communication & Legal
- Internal: Notify leadership, employees (what to do/not do).
- External: Prepare statements for customers, regulators, law enforcement, insurers, and third-party vendors.
- Legal: Ensure compliance with data breach notification laws (e.g., GDPR, CCPA).
