BLOG HOME > Data Breaches > What To Include In An Incident Response Plan

What To Include In An Incident Response Plan

*This article was taken from our PCI Guide. For more information on this topic, download our free PCI Guide

Creating an incident response plan can seem overwhelming. To simplify the process, develop your incident response plan in smaller, more manageable procedures.

Get Started with PCI Compliance

Start Here

While every organization needs varying policies, training, and documents, there are a few itemized response lists that most organizations should include in their incident response plan, such as:

  • Emergency contact/communications list
  • System backup and recovery processes list
  • Forensic analysis list
  • Jump bag list
  • Security policy review list


Proper communication is critical to successfully managing a data breach, which is why you need to document a thorough emergency contact/communications list. Your list should contain information about: who to contact, how to reach these contacts, the appropriate timelines to reach out, and what should be said to external parties.

In this list, you should document everyone that needs to be contacted in the event of a data breach, such as the following individuals:

  • Response team
  • Executive team
  • Legal team
  • Forensics company
  • Public relations
  • Affected individuals
  • Law enforcement
  • Merchant processor

You need to determine how and when notifications will be made.Several states have legislated mandatory time frames that dictate when an organization must make notifications to potentially affected cardholders and law enforcement. You should be aware of the laws in your state and have instructions in your incident response plan that outline how you will make mandated notifications

Your incident response team should craft specific statements that target the various audiences, including a holding statement, press release, customer statement, and internal/employee statement. For example, you should have prepared emails and talking points ready to go after a data breach.

Your statements should address questions like:

  • Which locations were and are impacted by the breach?
  • How was the breach discovered?
  • Is any other sensitive data at risk?
  • How will it affect customers and the community?
  • What services or assistance (if any) will you provide your customers?
  • When will you be back up and running?
  • What will you do to prevent this from occurring again?

Identify in advance the party within your organization that is responsible for timely notifications that fulfill your state’s specific requirements. This could be your inside legal counsel, newly hired breach management firm, or C-level executive.

Your public response to the data breach will be judged heavily, so review your statements thoroughly

Get my free SecurityMetrics PCI Guide

Download Now


Your system backup and recovery processes list will help you deal with the technical aspects of a data breach. Here are some things that should be included:

  • Procedures for disconnecting from the Internet (e.g., whois responsible to decide whether or not you disconnect)
  • System configuration diagrams that include information like device descriptions, IP addresses, and OS information
  • Process for switching to redundant systems and preserving evidence
  • Process for preserving evidence (e.g., logs, timestamps)
  • Practices to test the full system backup and system recovery
  • Steps to test and verify that any compromised systems are clean and fully functional

This list helps you preserve any compromised data, quickly handle a data breach, and preserve your systems through backups. By creating and implementing this list, your organization can lessen further data loss and help you return to normal operations as quickly as possible.


A forensics analysis list is for organizations that use in-house forensic investigations resources. Your forensic team will need to know whereto look for irregular behavior and how to access system security and event logs. You might need multiple lists based on your different operating systems and functionalities (e.g., server, database).

Your forensic team may need the following tools:

  • Data acquisition tools• Write-blockers
  • Clean/wiped USB hard drives
  • Cabling for all connections in your environment
  • Other forensic analysis tools (e.g., EnCase, FTK,X-Ways)

If your organization doesn’t have access to an experienced computer forensic examiner in-house, you will want to consider hiring a forensics firm, vetting them in advance with pre-completed agreements.This vetting process helps ensure you get an experienced forensic investigator when you need it.


Your jump bag list is for grab-and-go responses (i.e., when you need to respond to a breach quickly). This list should include overall responses and actions employees need to take immediately after a data breach. Your list will keep your plan organized and prevent mistakes caused by panic.

Some things to include in your jump bag list are:

  • Incident handler’s journal to document the incident(e.g., who, what, where, when, why)
  • Incident response team contact list
  • USB hard drives and write-blockers
  • USB multi-hub
  • Flashlight, pens, notebooks
  • All of your documented lists
  • USB containing bootable versions of your operating system(s)
  • Computer and network tool kit
  • Hard duplicators with write-block capabilities
  • Forensic tools and software (if you decide to use in-house forensic investigations resources)


Your security policy review list deals with your response to a breach and its aftermath. This list helps you analyze the breach, so you can learn what to change.

  • Your security policy review list should include documentation of the following things:
  • When the breach was detected, by whom and what method
  • Scope of the incident and affected systems
  • Data that was put at risk How the breach was contained and eradicated
  • Work performed and changes made to systems during recovery
  • Areas where the response plan was effective
  • Areas that need improvement (e.g., which security controls failed, improvements to security awareness programs)

You should look at where your security controls failed and how to improve them. The purpose of this list is to document the entire incident, what was done, what worked, what didn’t, and what was learned.

In conclusion, creating an incident response plan may seem overwhelming, but breaking it down into smaller lists can simplify the process. Key components to include in your plan are an emergency contact/communications list, system backup and recovery processes, forensic analysis procedures, a jump bag list, and a security policy review list. By incorporating these lists into your incident response plan, you can effectively manage data breaches and mitigate their impact on your organization.

Join Thousands of Security Professionals and Subscribe