Incident Response Plan (IRP)

What is an Incident Response Plan?

An Incident Response Plan (IRP) is a structured document that defines the procedures, responsibilities and processes an organization must follow when detecting, responding to and recovering from cybersecurity incidents.

Essential Components of an IRP

1. Policy and Objectives

  • Definition of the plan's scope and objectives
  • Classification of incidents by severity
  • Leadership commitment statement
  • Applicable frameworks and regulations (NIST, ISO 27035, LGPD)

2. Team Structure (CSIRT)

  • Incident Response Manager: Coordinates the entire response
  • Security Analysts: Technical and forensic analysis
  • IT Operations: Containment and system recovery
  • Communications Lead: Stakeholders and media
  • Legal/Compliance: Legal and regulatory aspects

3. Process Phases

  • Preparation: Training, tools and procedures
  • Detection and Analysis: Identification and classification
  • Containment: Limiting the incident's impact
  • Eradication: Removing the root cause
  • Recovery: Restoring systems and services
  • Lessons Learned: Post-mortem and continuous improvement

Response Playbooks

Specific playbooks for different types of incidents:

  • Ransomware and malware
  • Phishing and social engineering
  • Data breach (LGPD)
  • DDoS attacks
  • Credential compromise
  • Insider threats
  • Critical vulnerabilities (zero-day)

Tools and Technologies

  • SIEM: Splunk, IBM QRadar, Microsoft Sentinel
  • EDR/XDR: CrowdStrike, SentinelOne, Microsoft Defender
  • Ticketing: ServiceNow, Jira, TheHive
  • Communication: Slack, Microsoft Teams (dedicated channels)
  • Forensics: Autopsy, EnCase, FTK, Volatility
  • Threat Intelligence: MISP, ThreatConnect, Recorded Future

Communication and Escalation

Communication matrix defining when and how to inform:

  • Internal: C-Level, employees, affected areas
  • External: Customers, partners, suppliers
  • Regulators: ANPD, CVM, BACEN (as applicable)
  • Media: Press office
  • Authorities: Federal Police, CERT.br

Metrics and KPIs

  • MTTD (Mean Time to Detect): Average time to detection
  • MTTR (Mean Time to Respond): Average time to response
  • MTTC (Mean Time to Contain): Average time to containment
  • MTTR (Mean Time to Recover): Average time to recovery
  • Number of incidents by category and severity
  • Financial and operational impact

LGPD Compliance

The IRP must be aligned with the requirements of the General Data Protection Law:

  • Notification to the ANPD within 2 business days (relevant incidents)
  • Communication to affected data subjects
  • Detailed documentation of the incident and measures taken
  • Data Protection Impact Report (RIPD)

Testing and Simulations

The IRP must be tested regularly through:

  • Tabletop Exercises: Theoretical discussions of scenarios
  • Walk-throughs: Step-by-step review of procedures
  • Simulations: Hands-on exercises in a controlled environment
  • Red Team/Purple Team: Penetration tests with real response

Final Recommendations

  • [OK] Quarterly review and update of the IRP
  • [OK] Continuous training of the response team
  • [OK] Keep runbooks up to date and accessible
  • [OK] Document all incidents, even minor ones
  • [OK] Establish relationships with authorities before you need them
  • [OK] Have 24/7 emergency contacts always available
  • [OK] Keep offline and tested backups
  • [OK] Integrate the IRP with the BCP and DRP plans