Skip to content
master
Switch branches/tags
Code

Incident Response Plan Template

About

This template was developed by the team at Counteractive Security, to help all organizations get a good start on a concise, directive, specific, flexible, and free incident response plan. Build a plan you will actually use to respond effectively, minimize cost and impact, and get back to business as soon as possible.

Download the latest release here, a please create an issue or submit a pull request with any feedback, suggestions, or updates.

Instructions

💡 If you prefer to work in Microsoft Word (.docx format), please download the example word version and customize directly using the instructions below.

For those working in other formats like markdown, html, or pdf, please read on.

Download or fork this template

The layout is as follows:

  • during.md: the core of the plan, actions taken during an incident response.
  • playbooks/: a folder containing playbooks with investigation, remediation, and communication suggestions for specific incidents. Create playbooks for any incidents that are highly likely or highly damaging for your organization. playbooks/index.md contains the playbook section header content, and each playbook should follow the convention playbooks/playbook-[THREAT].md.
  • roles/: a folder containing descriptions of each role in the plan, along with duties and training notes. index.md contains the roles section header content, and each role should follow the convention playbooks/role-[ORDER]-[NAME].md.
  • after.md: the guide to after-action review (a.k.a., hotwash, debrief, or post-mortem)---actions taken after an incident response.
  • about.md: a footer containing information about the plan/template as a whole.
  • info.yml: a file containing values for the template strings throughout the plan (see below)

Fill info.yml with your organization's information

The template files have a lot of placeholders that {{LOOK_LIKE_THIS}}. The purpose of each placeholder should be discernable from context, and the default info.yml file is commented for additional clarity. This is the mustache template syntax, and has wide support in a variety of tools and languages.

The easiest way to replace these variables is to customize the info.yml file with your organization's information and use the provided Makefile (as of v1.0.0) to automatically find and replace all the relevant strings. NOTE: this requires make (naturally), mustache, and pandoc to be installed and available in the user's $PATH. NOTE: pdf output needs pdflatex (see this gist for instructions on Ubuntu/Debian), and you'll need git if you want to clone the repository rather than download the zipped source.

If you don't have the information or tools referenced in the template variables, that's definitely worth fixing. Especially the critical information list (data you want to protect) and critical asset list (systems you want to protect).

Build the template

In your linux, mac, or WSL terminal:

# install core dependencies, if not already present
sudo apt-get install make ruby-mustache pandoc

# for pdf format (big)
sudo apt-get install texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra

# change to the directory of the cloned repository
cd /path/to/incident-response-plan-template

# build the template
make

This merges the template components, combines them with your custom data from info.yml, and outputs all supported formats in the public/ directory. That's it!

If you have a specific case and want more details, read on!

Further customize the plan

  1. Fill in any remaining template variables (the strings that {{LOOK_LIKE_THIS}}).
  2. Review all the TODO prompts for likely areas to customize, if desired. Delete them if no changes are required.
  3. Add any roles or playbooks relevant to your organization. These can also be added over time.
  4. Customize anything else! Whatever you feel is most effective for your organization.
  5. Optional: Customize formatting directly or using pandoc's options. The default Makefile uses the default pandoc styles, and they're not for everyone.

Deploy and use the plan

The makefile uses pandoc to create a variety of formats, or you can use the markdown files with mkdocs, hugo, or countless other platforms.

Examples

Examples in each format are available in the examples directory. The markdown version is a good place to start, rendered from markdown to html automatically by github.

Contact Us

For professional assistance with incident response, or with customizing, implementing, or testing your plan, please contact us at contact@counteractive.net or (888) 925-5765.

License

This template is provided under the Apache License, version 2.0. See the LICENSE and NOTICE files for additional information.

References and Additional Reading

Roadmap

See issues list.

Changelog

See releases page.