Incident response plan
Definition
A formal document that defines an organisation's approach to incident handling: roles and responsibilities, escalation paths, communication procedures, legal and regulatory obligations, and authorised response actions. NIST treats the IR plan as the core deliverable of the Preparation phase.
Related terms
- Containment strategy
- A deliberate decision about how to limit an incident's spread, balancing the need to stop harm immediately against the risk of alerting...
- Eradication
- The phase in which the root cause of an incident is removed from the environment: deleting malware, patching exploited vulnerabilities, revoking compromised...
- Incident response lifecycle
- The structured sequence of phases NIST SP 800-61 defines for handling computer security incidents: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity....
- Indicators of compromise (IoCs)
- Artefacts observed on a network or system that suggest an intrusion or malicious activity has occurred, such as unusual outbound connections, known-malicious...
- Lessons-learned meeting
- A structured post-incident review, recommended by NIST within approximately two weeks of incident resolution, that examines what happened, what the response did...
Explained in
- The NIST SP 800-61 Incident Response LifecycleA formal document that defines an organisation's approach to incident handling: roles and responsibilities, escalation paths, communication procedures, legal a...