Develop and test an incident response plan - AWS Security Incident Response User Guide

Develop and test an incident response plan

The first document to develop for incident response is the incident response plan. The incident response plan is designed to be the foundation for your incident response program and strategy. An incident response plan is a high-level document that typically includes these sections:

  • An incident response team overview – Outlines the goals and functions of the incident response team

  • Roles and responsibilities – Lists the incident response stakeholders and details their roles when an incident occurs

  • A communication plan – Details contact information and how you will communicate during an incident

    It’s a best practice to have out-of-band communication as a backup for incident communication. An example of an application that provides a secure out-of-band communications channel is AWS Wickr.

  • Phases of incident response and actions to take – Enumerates the phases of incident response – for example, detect, analyze, eradicate, contain, and recover – including high-level actions to take within those phases

  • Incident severity and prioritization definitions – Details how to classify the severity of an incident, how to prioritize the incident, and then how the severity definitions affect escalation procedures

While these sections are common throughout companies of different sizes and industries, each organization’s incident response plan is unique. You will need to build an incident response plan that works best for your organization.