Breach Response
Incident Response Plan
Step-by-Step Breach Response Guide
Comprehensive incident response framework to minimize damage, ensure compliance, and restore operations quickly when security incidents occur
When Seconds Count: Effective Incident Response
The average cost of a data breach is $4.45 million, but organizations with comprehensive incident response plans reduce breach costs by $2.66 million. This step-by-step guide ensures your organization can respond quickly, minimize damage, and meet all legal requirements.
Four-Phase Response Framework
Phase 1: Preparation
Building capabilities and readiness to respond effectively to security incidents
Foundation
Ongoing - Before Incidents Occur
Key Objectives
- Establish incident response team with clear roles
- Develop comprehensive response procedures
- Create communication plans and contact lists
- Implement monitoring and detection systems
Team Formation
Identify incident response team members from IT, management, legal, and communications
Define roles and responsibilities for each team member
Establish primary and backup contacts for each role
Create escalation paths for different incident severities
Documentation and Procedures
Document step-by-step incident response procedures
Create incident classification and severity guidelines
Develop communication templates for different audiences
Establish legal and regulatory notification requirements
Tools and Resources
Deploy security monitoring and logging systems
Prepare incident response toolkit (software, hardware)
Establish secure communication channels
Create offline backup communication methods
Training and Testing
Train incident response team members on procedures
Conduct regular tabletop exercises
Test communication systems and procedures
Update plans based on lessons learned
Phase 2: Detection and Analysis
Identifying potential security incidents and determining their scope and impact
Critical
Minutes to Hours - Incident Discovery
Key Objectives
- Detect security incidents quickly and accurately
- Analyze incident scope and potential impact
- Document all evidence and findings
- Make initial containment decisions
Initial Detection
Monitor security alerts from automated systems
Investigate reports from employees or users
Analyze network traffic and system logs
Validate and prioritize potential incidents
Incident Analysis
Determine incident type and attack vectors
Assess scope of affected systems and data
Identify potential impact on business operations
Estimate timeline of attacker activity
Evidence Collection
Preserve digital evidence from affected systems
Document system states and configurations
Capture network traffic and log files
Maintain chain of custody for all evidence
Initial Assessment
Classify incident severity using established criteria
Determine if law enforcement notification is required
Assess need for external forensic assistance
Prepare initial situation report for management
Phase 3: Containment, Eradication, and Recovery
Stopping the incident, removing threats, and restoring normal operations
Critical
Hours to Days - Active Response
Key Objectives
- Prevent further damage or data loss
- Remove malicious presence from systems
- Restore systems to secure operational state
- Implement additional security measures
Short-term Containment
Isolate affected systems from network
Disable compromised user accounts
Block malicious IP addresses and domains
Preserve system state for forensic analysis
Long-term Containment
Apply security patches to vulnerable systems
Reset passwords for all potentially affected accounts
Implement additional monitoring on affected systems
Develop plan for safe system restoration
Eradication
Remove malware and malicious artifacts
Close vulnerabilities exploited in the attack
Update security configurations and controls
Verify complete removal of attacker presence
Recovery
Restore systems from clean backups
Gradually return systems to production
Monitor restored systems for signs of compromise
Validate business operations are fully functional
Phase 4: Post-Incident Activity
Learning from incidents and improving security posture and response capabilities
Important
Days to Weeks - After Resolution
Key Objectives
- Document lessons learned and improvements
- Update incident response procedures
- Strengthen security controls and monitoring
- Communicate results to stakeholders
Incident Documentation
Complete detailed incident report with timeline
Document all response actions taken
Calculate incident costs and business impact
Preserve evidence for potential legal action
Lessons Learned Review
Conduct post-incident review meeting
Identify what worked well and areas for improvement
Update incident response procedures
Plan additional training or resource needs
Security Improvements
Implement additional security controls
Update monitoring and detection capabilities
Patch remaining vulnerabilities
Review and update security policies
Stakeholder Communication
Brief executive leadership on incident and response
Notify customers and partners as required
Report to regulatory authorities if necessary
Update insurance providers about the incident
Incident Classification and Response Levels
Critical Severity
Immediate Response (0-1 hour)
Immediate
Example Incidents
- Active data breach with confirmed data exfiltration
- Ransomware attack encrypting business-critical systems
- Complete network outage affecting all operations
- Confirmed compromise of financial or payment systems
Response Level:
Full incident response team activation
Escalation:
CEO/Executive leadership immediately
External Notification:
Law enforcement, legal counsel, insurance
Business Impact:
Severe - Operations stopped or severely degraded
High Severity
Urgent Response (1-4 hours)
Urgent
Example Incidents
- Suspected data breach with potential exposure
- Malware infection on multiple business systems
- Unauthorized access to sensitive business data
- Website defacement or service disruption
Response Level:
Core incident response team activation
Escalation:
Department heads and senior management
External Notification:
Legal counsel review, possible law enforcement
Business Impact:
High - Significant impact on operations or reputation
Medium Severity
Standard Response (4-24 hours)
Standard
Example Incidents
- Single system compromise with no sensitive data
- Successful phishing attack on employee account
- Denial of service affecting non-critical systems
- Suspicious network activity requiring investigation
Response Level:
IT security team with management notification
Escalation:
IT management and relevant department heads
External Notification:
Legal counsel consultation if data involved
Business Impact:
Medium - Limited impact on operations
Low Severity
Routine Response (24-72 hours)
Routine
Example Incidents
- Malware detected and blocked by security controls
- Failed login attempts without system compromise
- Non-sensitive data exposure with limited scope
- Policy violations without security compromise
Response Level:
IT security team standard procedures
Escalation:
IT management notification
External Notification:
Generally not required
Business Impact:
Low - Minimal or no operational impact
Incident Response Team Structure
Incident Commander
Overall incident response leader and decision maker
Key Responsibilities
- Make critical decisions about response actions
- Coordinate all response team activities
- Serve as primary point of contact for management
- Determine when to escalate or engage external resources
Required Qualifications
- Senior IT or security professional
- Strong decision-making and leadership skills
- Authority to make business-impacting decisions
- Experience with incident response procedures
Security Analyst
Technical investigation and analysis lead
Key Responsibilities
- Conduct detailed technical analysis of the incident
- Collect and preserve digital evidence
- Coordinate with external forensic investigators
- Provide technical recommendations for containment
Required Qualifications
- Strong cybersecurity technical skills
- Experience with forensic analysis tools
- Understanding of network and system security
- Incident investigation and documentation experience
Communications Coordinator
Internal and external communication management
Key Responsibilities
- Draft and coordinate all incident communications
- Manage media relations and public statements
- Coordinate with legal on notification requirements
- Keep stakeholders informed of response progress
Required Qualifications
- Strong written and verbal communication skills
- Experience with crisis communications
- Understanding of legal and regulatory requirements
- Ability to translate technical information for various audiences
Legal Counsel
Legal and regulatory compliance guidance
Key Responsibilities
- Advise on legal notification requirements
- Coordinate with law enforcement as needed
- Manage attorney-client privilege considerations
- Review all external communications for legal issues
Required Qualifications
- Licensed attorney with cybersecurity experience
- Knowledge of data protection and privacy laws
- Experience with incident response legal issues
- Understanding of business operations and impact
Business Continuity Coordinator
Business operations and recovery coordination
Key Responsibilities
- Assess business impact of the incident
- Coordinate business continuity procedures
- Manage communications with customers and vendors
- Oversee restoration of business operations
Required Qualifications
- Strong understanding of business operations
- Experience with business continuity planning
- Ability to coordinate across multiple departments
- Customer and vendor relationship management skills
Crisis Communication Templates
Initial Management Notification
First alert to executive leadership about potential incident
Key Elements to Include
- Brief description of the incident
- Affected systems or data (if known)
- Initial assessment of severity
- Immediate actions being taken
- Timeline for next update
Template Example
SECURITY INCIDENT ALERT - [INCIDENT ID] Date/Time: [DATE/TIME] Severity: [CRITICAL/HIGH/MEDIUM/LOW] Affected Systems: [SYSTEM NAMES] SITUATION: [Brief description of what happened] IMMEDIATE ACTIONS: [What is being done right now] NEXT UPDATE: [TIME] Contact: [INCIDENT COMMANDER NAME/NUMBER]
Employee Communication
Informing staff about incident and required actions
Key Elements to Include
- General description without sensitive details
- Specific actions employees should take
- What employees should NOT do
- Contact information for questions
- Timeline for resolution (if known)
Template Example
SECURITY NOTICE - Action Required We are investigating a security incident that may affect our systems. IMMEDIATE ACTIONS REQUIRED: • Change your password on all work accounts • Do not access [AFFECTED SYSTEMS] until further notice • Report any suspicious emails or activity • Contact IT at [NUMBER] with questions We will provide updates as more information becomes available.
Customer/Client Notification
Informing customers about potential impact to their data or services
Key Elements to Include
- Clear explanation of what happened
- What information may have been involved
- What the organization is doing to respond
- What customers should do to protect themselves
- Contact information for additional questions
Template Example
Important Security Notice We recently discovered a security incident that may have affected your information. We are writing to inform you of this incident and the steps we are taking. WHAT HAPPENED: [Clear, non-technical explanation] INFORMATION INVOLVED: [Specific types of data that may be affected] WHAT WE ARE DOING: [Response actions being taken] WHAT YOU SHOULD DO: [Specific recommendations for customers] For questions, contact us at [CONTACT INFORMATION]
Media/Public Statement
Public communication about incident for media or website
Key Elements to Include
- Acknowledgment of incident
- General description without operational details
- Commitment to investigation and improvement
- Contact information for media inquiries
- Timeline for additional updates
Template Example
[ORGANIZATION] Security Incident Statement [ORGANIZATION] recently became aware of a security incident affecting our systems. We immediately began investigating and have taken steps to secure our systems. We are working with cybersecurity experts and law enforcement to fully investigate this incident. We take the security of our systems and data very seriously. We will continue to provide updates as our investigation progresses. Media Contact: [NAME/EMAIL/PHONE]
Legal and Compliance Requirements
Breach Notification Laws
Legal requirements for notifying individuals and authorities
Key Legal Points
- All 50 states have data breach notification laws with varying requirements
- Notification timelines range from "without unreasonable delay" to specific timeframes
- Content requirements include what happened, what information was involved, and response actions
- Some states require notification to state attorney generals or other authorities
Required Action Items
- Maintain current list of applicable breach notification requirements
- Create notification timeline tracker for compliance
- Prepare template notifications that meet legal requirements
- Establish process for legal review before sending notifications
Regulatory Compliance
Industry-specific reporting and response requirements
Key Legal Points
- HIPAA requires notification within 60 days of discovery for healthcare
- Financial services may have specific regulator notification requirements
- Government contractors may have immediate notification requirements
- International operations may trigger GDPR or other privacy law requirements
Required Action Items
- Identify all applicable regulatory frameworks
- Understand specific incident response requirements
- Maintain contact information for relevant regulators
- Prepare regulatory notification templates
Evidence Preservation
Maintaining legal admissibility of incident evidence
Key Legal Points
- Chain of custody must be maintained for all evidence
- Evidence should be preserved in forensically sound manner
- Documentation of all evidence handling and analysis
- Consider privilege issues with attorney-client communications
Required Action Items
- Train team on proper evidence handling procedures
- Establish relationships with qualified forensic investigators
- Create evidence tracking and documentation forms
- Understand when to engage legal counsel for privilege protection
Contractual Obligations
Meeting incident response obligations to customers and partners
Key Legal Points
- Customer contracts may require specific incident notifications
- Service level agreements may have incident response timeframes
- Vendor agreements may require notification of security incidents
- Insurance policies may have specific claim notification requirements
Required Action Items
- Review all customer and vendor contracts for incident response clauses
- Maintain database of contractual notification requirements
- Prepare customer notification templates for different contract types
- Understand insurance policy claim procedures and requirements
Testing and Training Exercises
Tabletop Exercise
Quarterly
2-3 hours
Discussion-based exercise walking through incident scenarios
Participants: Full incident response team
Objectives
- Test decision-making processes and procedures
- Identify gaps in communication and coordination
- Practice using incident response documentation
- Build team familiarity with roles and responsibilities
Preparation Steps
- Develop realistic incident scenario
- Prepare situation updates and injects
- Gather relevant documentation and contact lists
- Schedule all key team members
Technical Drill
Monthly
1-2 hours
Hands-on practice with technical response procedures
Participants: IT and security team members
Objectives
- Test technical tools and procedures
- Practice evidence collection and preservation
- Verify system isolation and containment capabilities
- Validate backup and recovery procedures
Preparation Steps
- Set up test environment for safe practice
- Prepare technical scenarios and challenges
- Ensure availability of all tools and systems
- Document technical procedures being tested
Communication Test
Bi-monthly
30-60 minutes
Testing communication systems and notification procedures
Participants: All team members and key contacts
Objectives
- Verify all contact information is current
- Test backup communication methods
- Practice notification procedures and timing
- Ensure all team members can be reached
Preparation Steps
- Update all contact lists and communication tools
- Prepare test notification messages
- Schedule test with minimal business disruption
- Plan for testing backup communication methods
Full-Scale Simulation
Annually
4-8 hours
Comprehensive exercise simulating major incident response
Participants: All incident response team plus business stakeholders
Objectives
- Test complete incident response procedures
- Practice coordination with external parties
- Validate business continuity procedures
- Assess overall program effectiveness
Preparation Steps
- Develop complex, realistic incident scenario
- Coordinate with external partners (legal, forensics)
- Prepare realistic timeline and pressure
- Plan for comprehensive after-action review
Emergency Response Contacts
Critical Response Contacts
FBI Cyber Division
1-855-292-3937
ic3.gov for online reporting
CISA (Cybersecurity & Infrastructure Security Agency)
1-888-282-0870
us-cert.cisa.gov
Your Cyber Insurance Provider
[INSURANCE COMPANY NAME]
[24/7 CLAIMS HOTLINE]
Internal Team Contacts
Incident Commander
[NAME] - [PHONE] - [EMAIL]
Primary decision maker
Legal Counsel
[NAME] - [PHONE] - [EMAIL]
Compliance and notification guidance
Communications Lead
[NAME] - [PHONE] - [EMAIL]
Internal and external communications
Download Complete Incident Response Toolkit
Get the comprehensive incident response toolkit including detailed procedures, communication templates, legal checklists, team contact forms, and training exercise guides.
Stay Updated
Subscribe to our newsletter for cybersecurity news and updatesWe respect your privacy. Unsubscribe at any time.