Your Incident Response Plan in 2022: What Should It Include?

By Nicolas Ponce, Vice President of Operations & Security, Addigy

With cybersecurity attacks on the rise, your organization may be the next victim. No matter the size of your organization, your systems and networks are at risk. A well-thought-out incident response (IR) plan can help you with minimizing damage while also reducing downtime. 

An IR plan highlights your organization’s response to cybersecurity attacks, data breaches, and security incidents. Think of it as a roadmap for your organization to follow when an incident occurs. We structured our Incident Response Checklist (essentially an incident response template any organization can use) around the Framework for Improving Critical Infrastructure Cybersecurity, which the U.S. National Institute of Standards and Technology (NIST) developed.

While every company is different, there are typically four stages to any IR plan:

  • Preparations.
  • Detection and analysis.
  • Containment, eradication, and recovery.
  • Post-incident review.

Think of each stage as a member of a team. One stage isn’t more important than another. You cannot pick and choose stages for your incident response plan. Excluding any of the stages from your plan could prove to be disastrous. 


Are you ready if a ransomware attack happens? If so, you’re already off to a good start. Preparation shouldn’t just be about being able to manage an incident when it arises. It should also entail the prevention of incidents by ensuring that your systems, networks, and applications are sufficiently secure. Every IR plan should include key contact information for regulatory bodies, law enforcement agencies, third-party IR providers, etc.; investigation resources (such as network diagrams and a list of key assets and data and where they are located or hosted); potential incident scenarios (malware, phishing, ransomware, data breach, and data corruption); and relevant plans, including prevention and detection plans, containment, eradication, and recovery plans, and crisis management and communications plans. When you take all the necessary precautions ahead of time, you put yourself and your organization in a better position to manage incidents when they occur.

Detection and analysis

No matter how prepared you are, a cybersecurity incident is bound to happen at some point. Detection and analysis of the incident is the first step to identifying an incident and understanding its impact and severity. While you should be ready for any incident, you should prepare specifically for common attack vectors, including poorly designed web apps, misconfigured systems, and internet downloads. When an incident happens, identify the possible sources (e.g., security software, publicly available information, logs, etc.); and gather any evidence, including a summary of the incident, incident indicators, and system events. Also, know your obligations. For example, when an incident occurs, you’re not the only one impacted. There are relevant stakeholders, which may include your board of directors, regulators, and government agencies.  

Containment, eradication, and recovery 

One of the most critical stages of IR is the containment, eradication, and recovery stage. While containment strategies vary depending on the type of incident, they should all aim to contain the incident and minimize the damage — that’s what matters. Do you have proper methods in place? Some of the more common containment strategies include firewall filtering, closing vulnerable ports and mail servers, and blocking further unauthorized access to the system. Of course, after containing the threat, you must then eradicate it. Some steps may include wiping out the malware, disabling breached user accounts, and patching vulnerabilities exploited. Recovering from the incident may entail restoring systems from backups, rebuilding systems from scratch, changing passwords, and tightening network perimeter security.

Post-incident review 

Finally, your IR plan should also outline what tasks should be completed after you’ve dealt with an incident. After an incident, don’t forget to identify and resolve deficiencies in systems and processes that led to the incident in the first place; assess if additional security measures are needed to strengthen the security posture of your organization, and communicate and build on lessons learned.

Without an IR plan in place, you’re vulnerable to cybercriminals. While you may be able to handle a cybersecurity incident without one, you probably won’t be able to contain the incident and minimize damage in a timely manner, which could prove to be disastrous in the long run.

Nicolas Ponce, Vice President of Operations & Security, Addigy, the only cloud-based, multi-tenant Apple device management software designed to make it easy for MSPs and corporate IT teams to manage Apple devices. Nicolas graduated from Florida International University with a Bachelor of Science in Information Technology and has over a decade of experience working as an IT leader within the B2B Tech SaaS industry. During his tenure at Kaseya, Nicolas maintained and supported their globally distributed cloud infrastructure as a TechOps Engineer. In 2017, Nicolas Ponce joined Addigy to lead the development and execution of processes that drive growth, increase efficiency and provide critical support to the organization. Under his leadership, Addigy has successfully acquired SOC2 Type 1, 2, and 3 Attestation Reports and established industry-leading security best practices to keep Addigy’s organization and clients secure.

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.