The event response plan is a set of instructions that the event response team will follow when the event occurs. If properly developed, it should include procedures for detecting, responding, and limiting the effects of a security event.
When an event response plan is not implemented, an organization may not be able to detect the attack or, if a violation is detected, may not implement the appropriate protocol to address and eliminate the threat.
In general, an incident response plan has six main phases:
Preparation: Prepare users and IT staff to deal with potential incidents if they occur.
Definition: Determining the criteria for qualifying an event as a security event.
Limitation: Limiting damage and isolating affected systems to prevent further damage.
Eradication: Find the root cause of the event and remove the affected systems from the production environment.
Recovery: Allow affected systems to re-enter the production environment and ensure that there are no threats.
Lessons learned: Completing incident documents, analyzing to learn from the event, and potentially improving future response efforts.