Incident Response Plan Template
About
This template was developed by the team at Counteractive Security, to help all organizations get a good start on a concise, directive, specific, flexible, and free incident response plan. Build a plan you will actually use to respond effectively, minimize cost and impact, and get back to business as soon as possible.
Download the latest release here, a please create an issue or submit a pull request with any feedback, suggestions, or updates.
Instructions
For those working in other formats like markdown, html, or pdf, please read on.
Download or fork this template
The layout is as follows:
during.md: the core of the plan, actions taken during an incident response.playbooks/: a folder containing playbooks with investigation, remediation, and communication suggestions for specific incidents. Create playbooks for any incidents that are highly likely or highly damaging for your organization.playbooks/index.mdcontains the playbook section header content, and each playbook should follow the conventionplaybooks/playbook-[THREAT].md.roles/: a folder containing descriptions of each role in the plan, along with duties and training notes.index.mdcontains the roles section header content, and each role should follow the conventionplaybooks/role-[ORDER]-[NAME].md.after.md: the guide to after-action review (a.k.a., hotwash, debrief, or post-mortem)---actions taken after an incident response.about.md: a footer containing information about the plan/template as a whole.info.yml: a file containing values for the template strings throughout the plan (see below)
Fill info.yml with your organization's information
The template files have a lot of placeholders that {{LOOK_LIKE_THIS}}. The purpose of each placeholder should be discernable from context, and the default info.yml file is commented for additional clarity. This is the mustache template syntax, and has wide support in a variety of tools and languages.
The easiest way to replace these variables is to customize the info.yml file with your organization's information and use the provided Makefile (as of v1.0.0) to automatically find and replace all the relevant strings. NOTE: this requires make (naturally), mustache, and pandoc to be installed and available in the user's $PATH. NOTE: pdf output needs pdflatex (see this gist for instructions on Ubuntu/Debian), and you'll need git if you want to clone the repository rather than download the zipped source.
If you don't have the information or tools referenced in the template variables, that's definitely worth fixing. Especially the critical information list (data you want to protect) and critical asset list (systems you want to protect).
Build the template
In your linux, mac, or WSL terminal:
# install core dependencies, if not already present
sudo apt-get install make ruby-mustache pandoc
# for pdf format (big)
sudo apt-get install texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra
# change to the directory of the cloned repository
cd /path/to/incident-response-plan-template
# build the template
makeThis merges the template components, combines them with your custom data from info.yml, and outputs all supported formats in the public/ directory. That's it!
If you have a specific case and want more details, read on!
Further customize the plan
- Fill in any remaining template variables (the strings that
{{LOOK_LIKE_THIS}}). - Review all the
TODOprompts for likely areas to customize, if desired. Delete them if no changes are required. - Add any roles or playbooks relevant to your organization. These can also be added over time.
- Customize anything else! Whatever you feel is most effective for your organization.
- Optional: Customize formatting directly or using pandoc's options. The default Makefile uses the default pandoc styles, and they're not for everyone.
Deploy and use the plan
The makefile uses pandoc to create a variety of formats, or you can use the markdown files with mkdocs, hugo, or countless other platforms.
Examples
Examples in each format are available in the examples directory. The markdown version is a good place to start, rendered from markdown to html automatically by github.
Contact Us
For professional assistance with incident response, or with customizing, implementing, or testing your plan, please contact us at [email protected] or (888) 925-5765.
License
This template is provided under the Apache License, version 2.0. See the LICENSE and NOTICE files for additional information.
References and Additional Reading
- Awesome Incident Response
- NIST Computer Security Incident Handling Guide (NIST)
- CERT Societe Generale Incident Response Methodologies
- Incident Handler's Handbook (SANS)
- Technical Approaches to Uncovering and Remediating Malicious Activity (Cybersecurity and Infrastructure Security Agency (CISA))
- Responding to IT Security Incidents (Microsoft)
- Defining Incident Management Processes for CSIRTs: A Work in Progress (CMU)
- Creating and Managing Computer Security Incident Handling Teams (CSIRTS) (CERT)
- Incident Management for Operations (Rob Schnepp, Ron Vidal, Chris Hawley)
- Incident Response & Computer Forensics, Third Edition (Jason Luttgens. Matthew Pepe. Kevin Mandia)
- Incident Response (Kenneth R. van Wyk, Richard Forno)
- The Checklist Manifesto (Atul Gawande)
- The Field Guide to Understanding Human Error (Sidney Dekker)
- Normal Accidents: Living with High-Risk Technologies (Charles Perrow)
- Site Reliability Engineering (Google)
- Debriefing Facilitation Guide (Etsy)
- Every Minute Counts: Leading Heroku's Incident Response (Blake Gentry)
- Three Analytical Traps in Accident Investigation (Dr. Johan BergstrΓΆm)
- US National Incident Management System (NIMS) (FEMA)
- Informed's NIMS Incident Command System Field Guide (Michael J. Ward)
- PagerDuty IR Docs
- NIST 800-61r2
- NIST CSF
- CSO Online 10 Steps (June 2017) and CSO Online 9 Steps (July 2016)
- SecurityMetrics blog 6 Steps to Making an IR Plan
- Cal Berkeley IR Plan Development
- EPA IR Plan
- incidentresponse.com playbooks
Roadmap
See issues list.
Changelog
See releases page.