Cyber security incidents can be high-pressure situations with serious consequences for both businesses and people alike. That stress can compromise decision making (especially when tired!) and a good cyber incident response plan helps organisations to get their response right.
This project contains a template cyber IR plan for you to pick up and tailor to your organisation.
Details of our other open projects can be found at https://cydea.tools.
While working with a client on improving their blue team and incident response capability they mentioned that they hadn’t been able to find an example of a good cyber incident response plan.
That came as a bit of a surprise, but they weren’t wrong. There are ‘how-tos,’ some thinly veiled vendor pitches, and plenty of other marketing materials. Some of it is old. Lots talk at a high level about the ‘phases’ of response. Many more are just ‘plans for a plan.’
There were a few notable exceptions - for example, the NCSC incident management collection - though we struck out looking for a structured document to use as a base.
Given how critical responding to security incidents is we were surprised to not find a decent template to start from. So we set about researching, distilling and compiling all the best practice, augmented from our experience responding to some of the highest-profile cyber events in recent years.
It's now available for you to pick up and make your own.
Make a copy of the IR Plan Template, or a copy of the Google Docs version and then spend some time on...
- Who your key contacts are, and who deputises for them
- Tailoring the severity levels and escalation criteria
- Choosing the categories that you’ll assign to incidents
Then discuss it with your team and senior management, agree this is how you'll operate, and then try running a few exercises to test everyone knows how it works!
There is also a PDF version of the template available.
We welcome contributions and especially want to thank Exercise3, Phil Huggins, and a few other contributors from leading cyber security firms and government agencies that wish to remain nameless for their work on v1.0 of these resources.
If you have a suggestion or improvement then please submit an issue or new pull request.
This resource is freely available under the Creative Commons Attribution 4.0 International (CC-BY-4.0), so please use, share, modify and improve it!