IR Planner components

These are the main components of the Incident Response (IR) Planner and the important fields that the IR team requires to be successful.

Arctic Wolf recommends that you provide information for all sections of the IR Planner, to increase the effectiveness of IR services. If you choose not to complete all sections, you should still store the relevant information in a secure and accessible location in case of emergencies.

Tip: Use the Comments field in each section to add additional information that may not be captured elsewhere in the IR Planner.

Response Team

The Response Team section contains contact information to help your internal stakeholders respond efficiently to an incident.

Value of the Response Team section

A complete Response Team section:
  • Makes sure that you can notify the right internal stakeholders immediately.
  • Avoids communication delays during emergencies.
  • Maintains continuity if corporate systems are compromised.
  • Speeds up decision-making when time is critical.
Regularly update your contact list, including secondary contact information. In a serious incident, your business email or phone lines might be unavailable. A secondary contact method, such as a personal phone number or email address, allows you to still reach your coworkers.
Note:

You can reselect the contacts that you create here in other sections of the plan.

Tip: You can use the Role Name field to:

  • Add departments and sub-departments — For example, HR, Customer Service, or Marketing. Use a hyphen to note more specific departmental hierarchy. For example, HR – Employee Benefits or Legal – Cyber.

  • Prioritize contacts — If you have multiple employees from the same department, add a priority level. For example, (P1) and (P2).

  • Response actions – Add response actions associated with that team member. For example, Only call if ransomware or Call for all incidents.

Response Team components

These are the components of the Response Team section:

Name

Description

 Role during an incident

Important fields

Executive Response Leader

A key stakeholder for contract agreements, risk management strategies, and executive level decisions if an incident occurs.

During an incident, the executive response leader leads the overall response, makes strategic decisions, and coordinates communication across departments and with external parties. Contact the executive response leader as soon as a significant incident is suspected.
  • At least two of:
    • Office Phone
    • Mobile Phone
    • Work Email
    • Personal Email

Technical Leader

The team member who facilitates infrastructure information, system capabilities, and cybersecurity procedures to the Incident Response team.

During an incident, they lead the investigation, containment, and recovery of affected systems and data. Contact the technical leader when any technical anomaly, breach, or system compromise is detected.
  • At least two of:
    • Office Phone
    • Mobile Phone
    • Work Email
    • Personal Email

Financial Leader

The stakeholder managing all financial factors of payroll, cash flow, business impact analysis, and business interruption during an incident.

During an incident, they assess financial risk, manage insurance claims, and help allocate emergency funds for response and recovery. Contact the financial leader if the incident may have financial impact. For example, fraud, ransomware, or business disruption.
  • At least two of:
    • Office Phone
    • Mobile Phone
    • Work Email
    • Personal Email

Legal Leader

The response team member in charge of reviewing cybersecurity documents and agreements, coordinating with the data privacy law firm, and reviewing corporate legal strategies.

During an incident, they guide compliance, manage legal risk, and help draft official communications. Contact the legal leader if there is potential legal exposure, regulatory reporting requirements, or customer data involved.
  • At least two of:
    • Office Phone
    • Mobile Phone
    • Work Email
    • Personal Email

Additional Leader

Any other team member who must be present if a cyber incident occurred and can efficiently help with the response.

 -
  • At least two of:
    • Office Phone
    • Cell Phone
    • Work Email
    • Personal Email

External Providers

The External Providers section contains technical and cyber vendors that should be contacted in case of a breach.

Value of the External Providers section

A complete External Providers section:

  • Speeds up coordination with IR, cyber insurance, legal counsel, or cybersecurity vendors.

  • Makes sure that you know the third-party providers who may be affected or need to assist.

  • Makes sure that contractual obligations and SLAs are met during a breach.

External Providers section

These are the components of the External Providers section:

Name

Description

 Role during an incident

Important fields

Incident Response Provider

Arctic Wolf is the provider of your Incident Response service.

 IR helps resolve any cyber incidents in your environment. The IR team can remove the threat actor from your environment, negotiate with the threat actor, determine the root cause and extent of the attack, and restore critical systems to their initial state.

Primary IT Provider

A technical vendor who augments network, security, infrastructure and other services.

 During an incident, your IT provider can assist with investigation, containment, and recovery of affected systems and data.
  • Contact

Data Privacy Law Firm

An organization that represents the regulatory and contractual obligations of data handling when an incident occurs.

 During an incident, your data privacy law firm can guide you through compliance, reporting obligations, and help reduce legal risk. Contact them if personal data is exposed or privacy laws are triggered.

Cyber Insurance Information

A cyber insurance provider that manages the risk transference strategy of your organization for identifying and maintaining cyber insurance coverage.

 During an incident, cyber insurance helps cover the costs associated with a breach, including:
  • Legal fees
  • Customer notification
  • Regulatory fines
  • Business interruption
  • Broker Name
  • Insurance Carrier Name
Note:

You can click Upload to upload a file containing your cyber insurance information.

Additional Provider

Any additional providers that work alongside your Incident Response team when an incident occurs or when a claim against cyber insurance is needed.

Network Information

The Network Information section includes location, cloud, and remote access information that provides an overview of your network.

Value of the Network Information section

A complete Network Information section provides a clear understanding of the scope of your physical and cloud network. This information enables faster containment and recovery, reduces downtime, and mitigates data loss.

Network Information section

These are the components of the Network Information section:

Name

Description

 Value during an incident

Important fields

Primary Business Location

The primary location of your organization.

 This information supports decisions about physical access, containment, and recovery.
  • Country
  • Street Address
  • City
  • State/Province
  • Zip Code
  • Number of Employees
  • Number of Workstations
  • Number of Physical Servers
  • Number of Virtual Servers
  • Firewall Provider
  • Firewall Model

Data Center Location

The location of your organization's data center.

 This information supports decisions about physical access, containment, and recovery.
  • Country
  • Street Address
  • City
  • State/Province
  • Number of Physical Servers
  • Number of Virtual Servers
  • Firewall Provider
  • Firewall Model

Cloud Presence Information

Any cloud services that your organization uses.

 This information:
  • Provides visibility into which cloud platforms host your data and services. For example, Amazon Web Services (AWS), Microsoft Azure, orGoogle Cloud Platform (GCP).
  • Helps you coordinate with cloud support teams for investigation and recovery.
  • Identifies shared responsibility boundaries for security and compliance.
  • Cloud network services
  • Describe cloud service used
  • IP Address

Remote Work & Access

Information about how your organization handles accessing information remotely.

This information can indicate how threat actors gained access and support containment strategies.
  • VPN Appliance/Software
  • Does every VPN user currently have MFA enabled for authentication?
  • Are there any non-user accounts that do not require MFA while on VPN?

DNS and Hostname Information

Information about internet-exposed IT infrastructure, including the domains, IP addresses, and hostnames that your organization uses.

 This information helps:
  • Identify affected machines quickly.
  • Trace lateral movement across systems.
  • Target specific endpoints for investigation or shutdown.
  • Address and CName Records
  • Top Level domain names

Additional Locations & Networks

Any other physical locations, data center locations, or other network information that your organization uses.

Incident Escalation

The Incident Escalation section contains alert, detection, and response processes.

Value of the Incident Escalation section

A complete Incident Escalation section:

  • Defines how and when incidents should be escalated.

  • Reduces confusion and ensures consistent handling of incidents.

  • Allows your team to immediately and confidently know what to do and where to find the instructions.

Incident Escalation components

These are the components of the Incident Escalation section:

Name

Description

 Value during an incident

Important fields

Incident Detection

The preferred method of escalation if an employee detects suspicious activity or an incident. For small organizations, this could be a phone call to an owner of the company. For larger organizations, this could be a phone call to the security team, an online form, or another documented process.

 Knowing who to contact helps your team quickly assess and contain threats to communication channels. -

Response Communication

The method of communication to use during an incident if primary communication methods are impacted by an incident.

 Established methods of response communication allow your team to communicate quickly during an incident. -

Endpoint and Server Monitoring

Tools and systems to use for Endpoint Detection and Response (EDR), antivirus, network monitoring, and cloud monitoring.

 Detections from these tools can provide additional insight to how and when an attack occurred.
  • Antivirus Tool
  • Team name or provider
  • Monitoring tools
  • Monitoring system

Email Hosting

The email systems that your organization uses.

 Email systems are often targeted in cyber attacks. For example, phishing or account takeover.
  • Email Host

Critical Systems

The Critical Systems section lists the critical systems that must be restored after an incident to re-establish business operations. We recommend that you add your business functions, then their corresponding systems and backups.

Value of the Critical Systems section

A complete Critical Systems section:

  • Clarifies which systems are connected and where threats may spread.

  • Helps prioritize recovery efforts and identify what data may be at risk.

  • Makes sure that backups are accessible and usable in case of system failure.

Critical Systems components

These are the components of the Critical Systems section:

Name

Description

 Examples

Important fields

Business Function

Systems that the IR team should prioritize the restoration of. Each business function typically includes a UI and a database. Map out systems under each function so that you can restore the most important ones first and minimize disruption.

Each system should have one or more backups to ensure continuity if the system goes down.
Examples across different industries:
  • Healthcare — Patient Management
  • Retail — Inventory & Sales
  • Finance — Accounting
  • Education — Student Services
  • System Information

Supporting Systems

 Systems that are part of a critical business function.
Examples across different industries:
  • Healthcare — Electronic health records (EHR), appointment scheduling, billing, secure messaging
  • Retail — POS system, inventory database, supplier portal, analytics dashboard
  • Finance — Accounting software, payroll system, billing system, tax reporting tools, bank integrations
  • Education — Learning management system (LMS), student database, communication tools, grading systems
Other examples:
  • Shipping and receiving
  • Customer support
  • Payment processing
  • HR systems
  • Manufacturing
  • Invoicing
  • Tools for customer databases
  • Communication tools
  • Internal dashboard interfaces
  • Customer-facing web applications
  • Backup Data
Note:
  • There are two options to choose from: SaaS System or Organization System. SaaS System refers to an external system that you subscribe to. Organization System refers to any proprietary system built and managed in-house.
  • You can reselect any previously entered system.

Backup Data
An overview of the data your organization keeps backups of. Information about backup data can help Arctic Wolf evaluate the viability of backups and determine the ransomware negotiation strategy. Keep information about where the backups are stored, how to access them, and who is responsible for managing them.
Tip:

Keep multiple backups in case one backup is corrupted or inaccessible.
  • Backup Name
  • Backup Frequency
  • Brief description of the system