Cybersecurity Incident Response Program Bundle

This customizable Word document is a policy for organizations to document their Incident Response (IR) program. The 7-page policy covers topics including the purpose and scope of the policy, key definitions, important roles and responsibilities, and tabletop exercises and is intended to be the high level implementation document for an organization's IR Plan (also available from Natsar).

This 23-page customizable Word document is a complete Incident Response (IR) plan for an organization and based on the NIST Cybersecurity Framework. This plan has been used across the country and for multiple organizations with great success and meets standards and best practices including NIST, CIS Critical Security Controls, ISO, and others.

Formally documenting a cybersecurity incident response investigation can be just as important as the technical IR response itself and can be invaluable in cases that involve insider threats, misconduct, or cybercrime where some legal action may be taken. This report template has all of the necessary sections that should be completed when documenting an IR case.

Once a cyberattack occurs and an incident declared, questions are going to start coming from every direction. This briefing template has been used successfully for executives and boards to keep them updated on incident response activities. This 8-slide presentation in PowerPoint format is part of a larger collection of Incident Response materials and may be purchased from Natsar as part of a bundle, or individually. This slide deck provides some guidance for an IR team on what they should be prepared to answer and information to include.

Often a cyber incident response case requires more than one report as evidence is analyzed and new facts become available, which necessitates writing a supplemental report. This report template matches the initial IR report template also available and allows IR analysts to document new information since the filing of an initial report.

Details matter during a cyberattack and incident response activities need to be captured. This document helps an IR team keep track of key events during an incident such as when the incident was first discovered, who declared it an incident, what individuals were assigned certain tasks, containment and mitigation actions, and information on the scope of the incident.

There is a lot to think about during any cybersecurity incident response, especially if you are leading the response. This checklist assists the team leader by reminding them of critical steps that need to be accomplished during the response activities to help ensure a successful outcome.

In the midst of a cyberattack is not the time to determine who must be notified of incident response activities. This checklist will help you identify who should be notified and when and also track when those notifications have been made.

During a cyberattack and incident response, there are a lot of communications occurring internally and externally that need to be tracked. For example, media inquiries, executive notifications, law enforcement, or regulatory bodies. This form helps you keep track of these communications.

A cyberattack is stressful enough and dealing with media and public inquiries can add an entirely new level of stress to a situation, especially if you are not prepared. This checklist is designed to help cybersecurity incident response teams keep track of media points of contact, inquires received, statements given, and tips on what should and should not be discussed.

Your cybersecurity incident response team may need to respond to another location such as a branch office or to assist another entity. This checklist is designed to be sent ahead of the CIRT to ensure as much as possible is ready for them when they arrive, expediting the IR process. Does the location have conference rooms, phones, data connections, a white board? These and many other questions will help an IR team make sure that the location is prepared for them prior to arrival.

At the conclusion of a cyberattack and incident response, it is always recommended to conduct a postmortem review and after action report (AAR) to capture what went well and opportunities for improvement. This document will help IR teams focus on key topics to cover during the postmortem debriefing.

Log files are one of the most valuable sources of information during a cybersecurity incident response investigation and knowing what log files to get (or what is available) may be challenging. This checklist can be given to IT staff and external managed service providers to obtain logs requested by the IR team.

Evidence is volatile and knowing what to collect and in what order to collect it during a cybersecurity incident response investigation is critically important to a successful outcome. This checklist assists staff with what data should be collected and the steps to take during the evidence collection process ranging from collecting system RAM and running processes, to capturing registry hives and event logs.

When an incident is declared and multiple individuals begin working on response and mitigation, it can be difficult to keep track of internal and external staff. This document is a simple way to track who is working the incident, their cell phone number, and the role they have been assigned.

When hosts are determined to be affected by a cyberattack, this simple yet effective spreadsheet keeps track of affected hosts and should be part of your cyber incident response documents.

Whether you are a private company, nonprofit, law enforcement agency, or other government organization, you may provide incident response (IR) assistance to other organizations or business units. This scoping form allows an IR team to ask questions ahead of an engagement that will help scope, understanding deployed technologies, understanding architecture, and other critical data point necessary for a successful IR engagement. This form will help you save time, reduce frustration, and increase effectiveness.