Preparation: IR Plans, Playbooks, and Teams
Build an incident response plan, define team roles (CSIRT), and create playbooks for the most common incident types before an attack occurs.
Why Preparation Is Phase One
The NIST incident response lifecycle has four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Preparation is the most important phase — everything an organization does before an incident determines how effectively it responds during one. Organizations that invest in preparation discover breaches faster, contain them more quickly, and spend dramatically less on recovery. The average cost difference between high and low IR preparedness is millions of dollars per incident.
The Incident Response Plan (IRP)
An Incident Response Plan (IRP) is the governing document that defines the organization's approach to handling security incidents. A comprehensive IRP includes: the mission and scope, team roles and contact information, definitions of what constitutes an incident, severity classification criteria, escalation procedures, communication templates, legal and regulatory notification requirements, and references to technical playbooks. The IRP must be approved by senior leadership and reviewed at least annually.
# IRP document structure
# 1. Purpose and Scope
# 2. Definitions (what is an 'incident' vs. 'event')
# 3. Incident classification (P1-Critical / P2-High / P3-Medium / P4-Low)
# 4. CSIRT team roster and escalation matrix
# 5. Communication plan (internal, executive, public, legal)
# 6. Playbook index (ransomware, data breach, insider threat, etc.)
# 7. Evidence preservation requirements
# 8. Regulatory notification timelines (GDPR=72h, HIPAA=60 days)All lessons in this course
- Preparation: IR Plans, Playbooks, and Teams
- Detection and Analysis: Identifying Real Incidents
- Containment, Eradication, and Recovery
- Post-Incident Review and Lessons Learned