Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Incident Response Plan Components

Updated Mar 13, 2024

IR plan components

These are the main components of the Incident Response (IR) plan and the important fields that the IR team requires to be successful. You do not need to complete every section, but more information increases the effectiveness of a plan.

Note: Sections that you do not fill in do not appear in the PDF export.

Response Team

These are the components of the Response Team section:

Notes:

  • You can reselect contacts you create here across the rest of the plan.
  • You can edit the Role Name field to specify a job title for the response team member.
Name Description Important fields
Executive Response Leader A key stakeholder for contract agreements, risk management strategies, and executive level decisions if an incident occurs. Common roles in this position include CEO, COO, or president. It is beneficial if the Executive Response Leader is someone who has contractual signing authority. We recommend that you include at least two methods of contact.
  • At least two of:
    • Office Phone
    • Cell Phone
    • Work Email
    • Personal Email
Technical Leader The technical person facilitating infrastructure information, system capabilities, and cybersecurity procedures to the Incident Response team. A Technical Leader can make decisions and assign different tasks to other team members throughout the response. Common roles in this position are IT directors and managers.
  • At least two of:
    • Office Phone
    • Cell Phone
    • Work Email
    • Personal Email
Financial Leader The stakeholder managing all financial factors of payroll, cash flow, business impact analysis, and business interruption during an incident.
  • At least two of:
    • Office Phone
    • Cell Phone
    • Work Email
    • Personal Email
Legal Leader The response team member in charge of reviewing cybersecurity documents and agreements, coordinating with data privacy law firm, and any managing corporate legal strategies.
  • At least two of:
    • Office Phone
    • Cell Phone
    • Work Email
    • Personal Email
Additional Leader Any other team member who must be present if a cyber incident occurred and can efficiently help with the response.
  • At least two of:
    • Office Phone
    • Cell Phone
    • Work Email
    • Personal Email

External Providers

These are the components of the External Providers section:

Name Description Important fields
Incident Response Provider The provider of your Incident Response service. This is always Arctic Wolf.
Primary IT Provider A third-party IT organization that works alongside your Incident Response team when an incident occurs or when a claim against cyber insurance is needed.
  • Contact
Data Privacy Law Firm An organization that represents the regulatory and contractual obligations of data handling when an incident occurs or when a claim against cyber insurance is needed.
Cyber Insurance Information A cyber insurance provider that manages the risk transference strategy of your organization for identifying and maintaining cyber insurance coverage.
  • Broker Name
  • Insurance Carrier Name
Note: You can click Upload to upload a file containing your cyber insurance information.
Additional Provider Any additional providers that work alongside your Incident Response team when an incident occurs or when a claim against cyber insurance is needed.

Network Information

These are the components of the Network Information section:

Name Description Important fields
Primary Business Location The primary location of your organization.
  • Country
  • Street Address
  • City
  • State/Province
  • Zip Code
  • Number of Employees
  • Number of Workstations
  • Number of Physical Servers
  • Number of Virtual Servers
  • Firewall Provider
  • Firewall Model
Data Center Location Where the data center of your organization is located. If there is a data center separate from your primary business location, we need to know to determine the restoration plan.
  • Country
  • Street Address
  • City
  • State/Province
  • Number of Physical Servers
  • Number of Virtual Servers
  • Firewall Provider
  • Firewall Model
Cloud Presence Information Any cloud services that your organization uses.
Remote Work & Access Information about how your organization handles accessing information remotely. This information might be an early indication of how threat actors have gained access.
  • VPN provider
  • Does every VPN user currently have MFA enabled for authentication?
  • Are there any non-user accounts that do not require MFA while on VPN?
DNS and Hostname Information Information about internet-exposed IT infrastructure, including domains (DNS) used by the organization, IP addresses, and hostnames. This information helps Arctic Wolf assess the overall risk to the organization and helps during an investigation in determining how the incident might have occurred.
  • Top Level domain names
Virtual Desktop Infrastructure Information about virtual desktop infrastructure (VDI) that your organization uses.
Additional Locations & Networks Any other physical locations, data center locations, or VDIs that your organization uses.

Incident Escalation

These are the components of the Incident Escalation section:

Name Description Important fields
Incident Detection The preferred method of escalation if an employee detects suspicious activity or an incident. For small organizations, this could be a phone call to an owner of the company. For larger organizations, this could be a phone call to the security team, an online form, or another documented process.
Response Communication The method of communication to use during an incident if primary communication methods are impacted by an incident.
Endpoint & Server Monitoring Tools and systems to use for endpoint detection and response (EDR), antivirus, network monitoring, and cloud monitoring.
  • What antivirus tool or Endpoint Detection and Response tool is installed on servers and workstations?
  • Which internal team or provider monitors endpoint alerts 24/7 to detect incidents?
  • What network monitoring tools are in place to monitor network traffic for suspicious activity?
  • What monitoring for cloud systems are in place for suspicious activity?
Email Hosting The email systems that your organization uses.
  • Email Host
  • Number of Exchange servers

Critical Systems

These are the components of the Critical Systems section:

Name Description Important fields
New Critical Business Function Systems that the IR team should prioritize the restoration of. Systems that the IR team should prioritize the restoration of. These systems could include:
  • Shipping and receiving
  • Customer support
  • Point of sale (POS) systems
  • Payment processing
  • HR systems
  • Payroll
  • Manufacturing
  • Invoicing
  • System Information
Supporting Systems Systems that are a part of a critical business function. These systems could include:
  • Health records management systems
  • Tools for customer databases
  • Customer service
  • Communication tools
  • Internal dashboard interfaces
  • Customer-facing web applications
  • Backup Data
Notes:
  • There are two options to choose from: SaaS System or Organization SystemSaaS System refers to an external system that you subscribe to, and Organization System refers to any proprietary system built and managed in-house.
  • You can reselect any previously entered system.
Backup Data An overview of the data your organization keeps backups of. This information is beneficial when devising the restoration strategy. Information about backup data can help Arctic Wolf evaluate the viability of backups and determine the ransomware negotiation strategy.
  • Backup Name
  • Backup Frequency
  • Brief description of the system