After this lesson, you will be able to: Build an IR plan with defined roles, communication protocols, and tabletop exercises.
An IR plan is just a document, until it's tested. This lesson covers the components that make a plan actually work when an incident hits.
Roles & responsibilities (incident commander, scribe, technical lead, comms lead, legal). Severity definitions (what's a P0 vs P3?). Communication channels (who gets paged, when, on what platform). Decision authority (who can pull the website offline?). Pre-built playbooks for common incident types (ransomware, account takeover, data leak).
Internal: keep stakeholders informed without spreading false information. External: legal/PR-approved statements only. Premature public disclosure can violate breach laws and damage trust. Many companies have predefined holding statements, used immediately on confirmation, then updated as facts emerge.
Realistic, takes 30 minutes.
Pick a fictional company, give it 50 employees, an e-commerce site, AWS hosting
Write a 3-line scenario: 'a customer complains they can't log in; alerts show high traffic from one IP; the support inbox has 50 similar reports'
Assign roles: IC, technical lead, comms
Play it out, every 5 minutes inject a new fact ('the CFO is on vacation', 'the database is at 100% CPU')
Debrief: what worked, what was confusing, what's missing from the plan
Choose the right answer.
Sign in and purchase access to unlock this lesson.