Incident Response Program Bundle

This customizable Word document is a policy for organizations to document their Incident Response (IR) program. The 7-page policy covers topics including the purpose and scope of the policy, key definitions, important roles and responsibilities, and tabletop exercises and is intended to be the high level implementation document for an organization's IR Plan (also available from Natsar).

This 23-page customizable Word document is a complete Incident Response (IR) plan for an organization and based on the NIST Cybersecurity Framework. This plan has been used across the country and for multiple organizations with great success and meets standards and best practices including NIST, CIS Critical Security Controls, ISO, and others.

Formally documenting an IR investigation can be just as important as the technical IR response itself and can be invaluable in cases that involve insider threats, misconduct, or cybercrime where some legal action may be taken. This report template has all of the necessary sections that should be completed when documenting an IR case.

Once an incident is declared and notifications begin, organizational leadership will want regular status briefings. This slide deck provides some guidance for an IR team on what they should be prepared to answer and information to include.

Often an IR case requires more than one report as evidence is analyzed and new facts become available, which necessitates writing a supplemental report. This report template matches the initial IR report template also available and allows IR analysts to document new information since the filing of an initial report.

This document helps an IR team keep track of key events during an incident such as when the incident was first discovered, who declared it an incident, what individuals were assigned certain tasks, containment and mitigation actions, and information on the scope of the incident.

This checklist will assist individuals serving as CIRT Lead while responding to an incident.

This checklist will assist CIRT members in making the proper notifications and maintaining the checklist as an artifact of IR activities.

This checklist is designed to help IR teams track communications specific to an incident. For example, media inquiries, requests for assistance to law enforcement or regulatory bodies, internal communications, etc.

Dealing with media and public inquiries can be a stressful part of IR. This checklist is designed to help IR teams keep track of media points of contact, inquires received, statements, given and tips on what should and should not be discussed.

Your IR team may need to respond to another location such as a branch office or to assist another entity. This checklist is designed to be sent ahead of the CIRT to ensure as much as possible is ready for them when they arrive, expediting the IR process.

Once an incident is over, it is always recommended to conduct a postmortem review and after action report to capture what went well and opportunities for improvement. This document will help IR teams focus on key topics to cover during the postmortem debriefing.

Log files are one of the most valuable sources of information during an IR investigation and knowing what log files to get (or what is available) may be challenging. This checklist can be given to IT staff and external managed service providers to obtain logs requested by the IR team.

Evidence is volatile and knowing what to collect and in what order to collect it during an IR investigation is critically important to a successful outcome. This checklist assists staff with what data should be collected and the steps to take during the evidence collection process ranging from collecting system RAM and running processes, to capturing registry hives and event logs.

When an incident is declared and multiple individuals begin working on response and mitigation, it can be difficult to keep track of internal and external staff. This document is a simple way to track who is working the incident, their cell phone number, and the role they have been assigned.

This free spreadsheet is an easy to use tracker of hosts that are determined to be impacted by a cyber incident and allows IR teams to keep track of response activities per host.