Part Two: Creating the Game Plan

Teams with a well-thought-out game plan rally their players behind a strategy and increase their chances of a win. For organizations that have their all-star team in place to respond to cyber or privacy security incidents, the next step is to develop the “how” by identifying what actions need to be taken in response to an incident. In the following, we will identify what it takes to bring together an organization’s complete incident response plan.

KAMMCO Incident Response Plan

1 - Identify Possible Incidents
To start, identify the types of incidents the response plan will cover. Will this response plan be used for cyber incidents exclusively, or will other kinds of events such as HIPPA-related incidents or financial incidents be included as well? Depending on your incident portfolio, you may decide to create a response plan for a specific kind of event, or you may determine all types of incidents are applicable to your organization. If the need exists for you to include multiple types of incidents, those can be delineated in separate sections of the response plan. The response plan can be tailored to be as general or as detailed as needed.

2 - Identify the Stages of the Response
Once you have defined the kinds of incidents to include in your plan, you should develop a strategy for handling those incidents. A thoughtful response plan includes attention to the stages that will happen in response to an incident. It may be the case that multiple tasks must be accomplished before moving on to the next stage of the plan, but it could also be the case that tasks for multiple stages must coincide in order to achieve incident mitigation. What’s important is the incident response plan should adopt as many stages as necessary to resolve the situation. Some suggested stages to include in an incident response plan include:

  • Preparation – Reviewing plans in place and staying well-informed of activities involving the incident threat landscape.
  • Detection – Identifying the systems in place where incidents may develop or come through and the employees that can assist with monitoring such areas.
  • Containment – Taking immediate steps to lock down systems or areas exposed to prevent further access or disclosure.
  • Investigation – Analyze what information was disclosed, what systems were accessed, and who and what was affected. This will help you begin to set up a roadmap for mitigations.
  • Mitigation – Assess the damages and develop solutions for recovery.
  • Response – Notify the required entities, as well as affected parties.
  • Post-Incident Activity – Review lessons learned from the incident response. Make changes and adjustments to areas that need reinforcement. It’s important to remember the incident response plan is not one-size-fits-all as incidents can and do vary. For example, incidents can be categorized by risk levels. Different types of incidents fall into low, medium, or high-risk categories, and a response plan can be developed for each. A low-level risk may include relatively few stages and require just a few members of the incident response team. A high-risk incident, however, may require the efforts of everyone on the team and go through many multi-tiered stages before resolution.


3 - Quick Reference Information
Last, the incident response plan should include information for quick reference that may be helpful during the response. Some references to add are:

  • Names and contact information of the incident response team and external vendors and resources
  • Forms and checklists to capture necessary information and steps throughout the incident process
  • References to internal-related policies and regulatory requirements
  • Links to helpful resources for supporting information


Having the game plan in place for the incident response team sets up both an offensive and defensive incident response - one that can be put into action at a moment’s notice. Now that the team is set and the game plan is set, in Part 3 of this series, we'll put it all into practice!