An incident response policy is a document outlining your organization's game plan for how to respond to a cyber security incidents. It lays out who does what, how to communicate, and the phases of response—from preparation to recovery. It’s not just a document; it’s a critical part of protecting your business.
An incident response plan should be presented to and approved by the leadership team. Thishelps achieve buy-in from senior management, strengthen accountability, and give you the authority to move forward with yourincident response strategy.
Above all, it should serve as a broad blueprint for managing the incident response lifecycle, providing the stepping stone for more detailed documentation for handling an incident.
This deeper, more specific material typically takes the form of an incident response plan and a series of incident response playbooks, where:
The incident response plan expands upon the roadmap set out in your incident response policy with much more detail on preparation for, management of, and improvements to be made following an incident
Each incident playbook is a standardized set of procedures you should follow in response to a particular type of incident, detailing actionable steps you need to take at each stage of the response process along with the tools you'll need to perform each task
It's essential everyone involved in the incident response process be fully prepared in advance so they can calmly go about their tasks in a competent and efficient manner. In other words, you need a carefully planned, comprehensive incident response strategy.
A 12 step incident response policy template checklist
This template offers a framework for creating your incident response policy, but every organization is unique. Be sure to tailor it by adding or removing sections to fit your specific business and operational needs.
1. Introduction: A high-level overview of the policy’s purpose and the importance of incident response within the organization.
2. Terminology: Definitions of key terms used within the policy to ensure a shared understanding across the organization, such as “incident,” “threat,” and “vulnerability.”
3. Roles and responsibilities: The roles and responsibilities of each team member involved in incident response, including the incident manager, analysts, and communication liaisons.
4. Communications: Established protocols for internal and external communication during incidents, specifying channels and designated points of contact.
5. Training: Training requirements for incident response team members and employees to maintain readiness and awareness across the organization.
6. Regulatory compliance: A list of relevant compliance requirements and standards, such as GDPR or HIPAA, and procedures for meeting these obligations during an incident.
7. Asset inventory: An inventory of critical assets, including systems, data, and infrastructure, to clarify what needs to be protected and prioritized during an incident.
8. Threat models: Potential threats and attack vectors relevant to the organization, aiding in focused incident response planning.
9. Security tooling: Security tools and technologies in place to support incident detection, response, and monitoring.
10. Detection and remediation: Procedures for detecting and analyzing incidents, along with steps for containment, remediation, and post-incident recovery.
12. Review lifecycle: A schedule for regular reviews and updates to the policy, ensuring it stays effective and relevant as the threat landscape evolves.
More details on each step here:
1. Introduction
Your introduction should resonate with senior decision makers. So it should take a wider view of incident response by explaining the following:
Why incident response is so important, putting both the technical and business case for an incident response strategy
The purpose of the policy, why it was created and whom and what it applies to
Your introduction should also include:
At least one statement that demonstrates your organization's commitment to security
A mandate for the creation of an incident response plan and detailed playbooks—ideally with a timeline for creating them
The position within your company of the person who will be responsible for enforcing the policy
2. Terminology
Cybersecurity is a complex discipline with a specialist vocabulary of terms and concepts that aren't widely understood. To ensure everyone shares a common language and prevent time-consuming misunderstandings, your policy should:
Set out clear definitions for terms, such as vulnerability, threat, attack, event, incident, personal data, and different types of data breach
3. Roles and responsibilities
You should explain the scope of your policy in terms of whom it should apply to and use it as the first step towards building your incident response team. For example, you should state you need to:
Set up a cyber incident response team (CIRT)
Designate an incident manager who will head up the team overall
Identify backup personnel who can step in if the incident manager is unavailable
Nominate those who will be responsible for developing your incident response plan
Decide whether you need the services of a third-party security provider
4. Communications
This section will set the direction for your communication strategy and should state you need to:
Establish designated points of contact
Define primary and secondary methods of contact—typically email, phone, and messaging apps
Set out procedures for incident reporting and triaging cases
Identify who will be responsible for notifying enforcement bodies in line with compliance requirements
Draw up a list of all other parties you should inform in the event of an incident, such as customers, suppliers, insurers, law enforcement, and partner companies that form part of your software supply chain
Develop an external communications (PR) plan
Outline responsibilities for reporting progress throughout the response process
5. Training
As part of your commitment to security, your policy should set out plans for training across all aspects of preventing and responding to attacks. It should typically cover:
Basic security awareness training
In-depth technical training for cybersecurity teams
Training on how to use tools and technologies for detecting, analyzing and flushing out attacks
Compliance training
Dedicated incident management training
6. Regulatory compliance
Your organization will need to meet the incident reporting requirements of a range of different data protection regulations and standards. While these share much in common, legal and communications teams will need to be aware of the differences. For example, some state very clear time limits for reporting a breach after it has become known. By contrast, others merely state that you should do so within a reasonable time.
Under the terms of your policy, your organization should therefore look to establish:
What regulations and standards apply to your organization
What types of data they apply to
Requirements for notifying enforcement agencies in the event of an incident
Requirements for informing individuals affected by the breach
Whom you must contact and by what method
7. Asset inventory
Your asset inventory will help define the scope of your policy in terms of what it applies to. It will also give you a wider picture of your systems and the relationships between them. This can prove invaluable to incident response teams by helping them to understand more clearly what and who has been affected by the breach and identify potential avenues for lateral movement of the attack.
You should therefore propose that your organization:
Draw up a preliminary list of the IT assets you need to protect
Map your inventory in more detail, including the relationships between different systems
Use your mapping exercise as the basis for setting priorities for incident response and recovery—based on factors such as service-level agreements (SLAs), potential loss of revenue, and compliance requirements
Detail your findings in your incident response plan
Different types of attack necessitate different types of response. So it makes sense to include provisions for identifying and listing the different types of threat to your systems. You should then recommend threat modeling techniques to help you understand the nature of each such threat, documenting basic information such as the:
Risk it poses to your data and organization as a whole
Likely goal of an attacker
Resources you need to deal with the attack
Most suitable response procedure
9. Security tooling
You should recommend a review of existing security tooling for managing incident response—with the view to procuring additional tools where necessary.
Your policy should make reference to the different types of solution that offer incident response capabilities. These typically include:
Endpoint detection and response (EDR)
Cloud detection and response (CDR)
Extended detection and response (XDR)
Security information and event management (SIEM)
Security orchestration, automation and response (SOAR)
10. Detection and remediation
This section should give a brief technical overview of the incident response process and should cover:
Detection: Evaluation of potential signs of an attack to determine whether a security incident has occurred or is about to occur
Analysis: The investigation phase to determine the root cause of the attack, the likely impact on your deployments, and appropriate corrective action
Containment: Technical measures to minimize the spread and impact of the breach
Eradication: Procedures for eliminating the threat, such as removing malicious content, patching vulnerabilities and blocking points of entry
Recovery: The series of coordinated steps for restoring your systems to their previous state—without opening the door to a repeat attack
11. Business continuity and disaster recovery
Business continuity (BC) and disaster recovery (DR) focus on keeping mission-critical operations running during a period of disruption, such as a cyberattack, and restoring systems to normal with the minimum of downtime and impact to your business. BCDR plays a key role in incident response and the two should therefore work together in harmony. Hence you should call upon your organization to:
Outline measures for coordinating your response with the BCDR team
Make use of common elements in your BCDR plan, such as processes, roles, and responsibilities, and integrate them onto your incident response plan
Include brief guidance about when to trigger BCDR responses depending on the stage you're at in the incident response process
12. Review cycle
Finally, your policy should require that you:
Periodically review incident response plans and playbooks to reflect changes to your environments
Update them after an incident with lessons learned from the response team's experiences
How to create an incident response policy: 7 steps
Your incident response policy should outline the steps, responsibilities, and resources needed to respond effectively and minimize potential impacts. Here’s a step-by-step guide to get started:
1. Assess existing assets and security measures
What are you protecting? Start by identifying your most critical assets, existing security controls, and potential vulnerabilities. This step isn’t glamorous, but it’s the foundation for prioritizing resources and tailoring your response plan to what really matters.
2. Establish an incident response team
Who’s in charge when something goes wrong? Put together a response team with clearly defined roles—like decision-makers, technical leads, and communications contacts. Everyone needs to know their lane to keep the response smooth and coordinated.
3. Create an incident response plan
What happens when an incident strikes? Map out a step-by-step plan covering everything from detection to recovery. Think of it as a detailed guide for your team to follow under pressure—no guesswork allowed.
4. Define communication protocols
Who do you call, and how? Establish clear communication channels for internal updates and, if needed, external notices to customers or regulators. Timing and clarity are everything here.
5. Ensure regulatory compliance
Regulations like GDPR or HIPAA can’t be ignored. Bake these into your policy to avoid fines and legal headaches during a stressful time.
6. Incorporate training and awareness
Your policy is only as strong as the people using it. Regularly train your team on procedures, run mock scenarios, and teach all employees basic security awareness to stop incidents before they start.
7. Review and update the policy regularly
The threat landscape changes constantly—and so should your policy. Schedule regular reviews to update for new threats, changing regulations, or lessons learned from real incidents.
How Wiz Helps with Incident Response in the Cloud
Wiz provides a suite of features that can assist with the Identification, Containment, and Eradication steps of an IR plan, including:
Detection and Analysis: Wiz integrates with cloud provider activity logs like AWS CloudTrail and Azure Activity Logs to monitor cloud environments, detect threats, and analyze potential attack paths. Wiz continuously assesses risks, prioritizes threats based on impact, and provides context for attack path analysis.
Containment and Eradication: Wiz provides container forensics and runtime execution data to help you investigate incidents and understand their potential blast radius and offers pre-built and customizable response playbooks for common cloud threats.
Wiz aims to empower security teams by offering a comprehensive Cloud Detection and Response (CDR) solution that streamlines the incident response process, allowing them to:
Reduce alert fatigue: Prioritize threats based on context and potential impact.
Shorten investigation time: Use efficient tools for gathering evidence.
Take quicker action: With pre-built playbooks and automated response capabilities.
Empower IR in the Cloud
Learn why IR teams rely on Wiz to respond to security incidents in their cloud environments faster and more efficiently.
Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.
Vulnerability management involves continuously identifying, managing, and remediating vulnerabilities in IT environments, and is an integral part of any security program.
API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.
In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.