Learning Center
Forensics
Incident Response Plan Basics

Incident Response Plan Basics

Use this to simplify the incident response plan preparation process, helping you prepare for data breach management.

Incident Response Plan Basics

This post contains part of the text from the SecurityMetrics Incident Response Plan Basics Checklist. To view the full interactive checklist, download the PDF.

Identify

Identification (or detection) is the process where you determine whether you’ve actually been breached by looking for deviations from normal operations and activities.

  • Proactively search for a breach:
    • Utilize FIM (File Integrity Monitoring)
    • Check Logs
      • Firewall
      • System
      • IDS/IPS
    • Notice any system anomalies
      • Malfunctioning antivirus software
      • Atypical log-in times
      • Presence of unexpected IPs
      • Unusual traffic
      • Reduced operating speed
  • Document how you’ve been breached and how you were notified by using these four high-probability scenarios:
    • The breach is discovered internally (e.g., review of intrusion detection system logs, alerting systems, system anomalies, or anti-virus scan malware alerts)
    • Your bank informs you of a possible breach based on reports of customer credit card fraud
    • Law enforcement discovers the breach while investigating the sale of stolen card information
    • A customer complains to you because your organization was the last place they used their card before it began racking up fraudulent charges

Prepare

Preparation often takes the most effort in your incident response planning while being the most crucial step to protect your organization.

  • Make an Incident Response plan:
  • Assign employees specific roles and responsibilities in case of a data breach
  • Ensure your employees receive proper training regarding their incident response roles and responsibilities
  • Develop and regularly conduct tabletop exercises
    • Evaluate your incident response plan
    • Make adjustments based on staff performance
  • Ensure that all aspects of your incident response plan (such as training, hardware, and software resources) are approved and funded in advance
  • Update your Business Continuity Plan

Once You’ve Been Breached

When you experience a breach, it’s important to get your staff quickly involved in fixing the problem.

  • Assemble your Incident Response team
  • Inform franchisees of your Incident Response Plan (IRP)
  • Train franchisees of immediate and long-term actions

Preserve Evidence

Preserving the valuable forensic evidence of your data breach is essential for identifying what information was stolen and how to prevent a future breach.

  • When you discover a breach, remember:
    • Don’t get rid of evidence
    • Don’t do anything hasty
    • Don’t wipe and re-install your systems (yet)
    • Follow your incident response plan

Contain the Breach

To contain a breach, you must isolate the affected system(s) to prevent further damage.

  • Implement your IRP
  • Disconnect from the Internet
  • Document the entire incident
  • Disable remote access capability and wireless access points
  • Change access control credentials (usernames and passwords)
  • Segregate all hardware devices in the payment process
  • Quarantine instead of deleting (removing) identified malware
  • Preserve firewall settings, firewall logs, system logs, and security logs
  • Restrict Internet traffic
  • Contact your merchant processing bank
  • Consider hiring a law firm experienced in managing data breaches

Consider Public Communication

The public, including those whose information was breached, needs to know quickly the scope of the breach and your plan for remediation.

  • Determine how and when notifications will be made
  • Know legislated mandatory time frames
  • Identify who is responsible for public statements
  • Seek the guidance of your legal counsel
  • Inform employees not to announce the breach before your company announcement
  • Craft specific statements about your breach by:
    • Deciding what type of organization you are
    • Finding what mandate you should follow
    • Researching who your target audience is
      • Publish statements through all or a mixture of:
        • Social media
        • Email
        • Your website
        • Local newspapers
        • News channels
        • Mail
        • Radio announcements

Investigate and Fix Your Systems

Once you’ve identified the source and have taken the proper steps to prevent a future breach, it’s time to go back online.

  • Bring affected systems back online
  • Ensure all systems have been:
    • Hardened
    • Patched
    • Replaced
    • Tested
Handout
Episode
Updated
September 15, 2021
Posted
September 22, 2020
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000