An incident response plan (IRP) is a set of written instructions for detecting, responding to and limiting the effects of an information security event.Incident response plans provide instructions for responding to a number of potential scenarios, including data breaches, denial of service/distributed denial of service attacks, firewall breaches, virus or malware outbreaks or insider threats. Without an incident response plan in place, organizations may either not detect the attack in the first place, or not follow proper protocol to contain the threat and recover from it when a breach is detected. According to the SANS Institute, there are six key phases of an incident response plan: 1. Preparation: Preparing users and IT staff to handle potential incidents should they should arise 2. Identification: Determining whether an event is indeed a security incident 3. Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage 4. Eradication: Finding the root cause of the incident, removing affected systems from the production environment 5. Recovery: Permitting affected systems back into the production environment, ensuring no threat remains 6. Lessons learned: Completing incident documentation, performing analysis to ultimately learn from incident and potentially improve future response efforts It is important that an incident response plan is formulated, supported throughout the organization, and is regularly tested. A good incident response plan can minimize not only the affects of the actual security breach, but it may also reduce the negative publicity. From a security team perspective, it does not matter whether a breach occurs (as such occurrences are an eventual part of doing business using an untrusted carrier network, such as the Internet), but rather, when a breach occurs. Do not think of a system as weak and vulnerable; it is important to realize that given enough time and resources, someone can break into even the most security-hardened system or network. You do not need to look any further than the Security Focus website at http://www.securityfocus.com/ for updated and detailed information concerning recent security breaches and vulnerabilities, from the frequent defacement of corporate webpages, to the 2002 attacks on the root DNS nameservers[1]. The positive aspect of realizing the inevitability of a system breach is that it allows the security team to develop a course of action that minimizes any potential damage. Combining a course of action with expertise allows the team to respond to adverse conditions in a formal and responsive manner. The incident response plan itself can be separated into four phases: Immediate action to stop or minimize the incident Investigation of the incident Restoration of affected resources Reporting the incident to the proper channels Solution An incident response plan (IRP) is a set of written instructions for detecting, responding to and limiting the eff.