SEC10-BP02: Develop incident management plans

Overview

The first document to develop for incident response is the incident response plan. The incident response plan is designed to be the foundation for your incident response program and strategy.

Benefits of establishing this best practice: Developing thorough and clearly defined incident response processes is key to a successful and scalable incident response program. When a security event occurs, clear steps and workflows can help you to respond in a timely manner. You might already have existing incident response processes. Regardless of your current state, it’s important to update, iterate, and test your incident response processes regularly.

Implementation Guidance

An incident management plan is critical to respond, mitigate, and recover from the potential impact of security incidents. An incident management plan is a structured process for identifying, remediating, and responding in a timely matter to security incidents. The cloud has many of the same operational roles and requirements found in an on-premises environment. When you create an incident management plan, it is important to factor response and recovery strategies that best align with your business outcome and compliance requirements.

For example, if you operate workloads in AWS that are FedRAMP compliant in the United States, follow the recommendations in NIST SP 800-61 Computer Security Handling Guide. Similarly, when you operate workloads that store personally identifiable information (PII), consider how to protect and respond to issues related to data residency and use.

When building an incident management plan for your workloads in AWS, start with the AWS Shared Responsibility Model for building a defense-in-depth approach towards incident response. In this model, AWS manages security of the cloud, and you are responsible for security in the cloud. This means that you retain control and are responsible for the security controls you choose to implement.

The AWS Security Incident Response Guide details key concepts and foundational guidance for building a cloud-centric incident management plan. An effective incident management plan must be continually iterated upon, remaining current with your cloud operations goal.

Implementation Steps

  1. Define roles and responsibilities within your organization for handling security events. This should involve representatives from various departments, including:
    • Human resources (HR)
    • Executive team
    • Legal department
    • Application owners and developers (subject matter experts, or SMEs)

  2. Clearly outline who is responsible, accountable, consulted, and informed (RACI) during an incident. Create a RACI chart to facilitate quick and direct communication, and clearly outline the leadership across different stages of an event.

  3. Involve application owners and developers (SMEs) during an incident, as they can provide valuable information and context to aid in measuring the impact. Build relationships with these SMEs, and practice incident response scenarios with them before an actual incident occurs.

  4. Involve trusted partners or external experts in the investigation or response process, as they can provide additional expertise and perspective.

  5. Align your incident management plans and roles with any local regulations or compliance requirements that govern your organization.

  6. Practice and test your incident response plans regularly, and involve all the defined roles and responsibilities. This helps streamline the process and verify you have a coordinated and efficient response to security incidents.

  7. Review and update the roles, responsibilities, and RACI chart periodically, or as your organizational structure or requirements change.

Understand AWS Response Teams and Support

AWS Support: Support offers a range of plans that provide access to tools and expertise that support the success and operational health of your AWS solutions. Consider the Support Center in AWS Management Console as the central point of contact to get support for issues that affect your AWS resources.

AWS Customer Incident Response Team (CIRT): The AWS Customer Incident Response Team (CIRT) is a specialized 24/7 global AWS team that provides support to customers during active security events on the customer side of the AWS Shared Responsibility Model. AWS customers can engage the AWS CIRT through a Support case.

DDoS Response Support: AWS offers AWS Shield, which provides a managed distributed denial of service (DDoS) protection service that safeguards web applications running on AWS.

AWS Managed Services (AMS): AWS Managed Services provides ongoing management of your AWS infrastructure so you can focus on your applications. AMS takes responsibility for deploying a suite of security detective controls and provides a 24/7 first line of response to alerts.

Develop the Incident Response Plan

The incident response plan should be in a formal document. An incident response plan typically includes these sections:

  • An incident response team overview: Outlines the goals and functions of the incident response team
  • Roles and responsibilities: Lists the incident response stakeholders and details their roles when an incident occurs
  • A communication plan: Details contact information and how you communicate during an incident
  • Backup communication methods: It’s a best practice to have out-of-band communication as a backup for incident communication
  • Phases of incident response and actions to take: Enumerates the phases of incident response (for example, detect, analyze, eradicate, contain, and recover), including high-level actions to take within those phases
  • Incident severity and prioritization definitions: Details how to classify the severity of an incident, how to prioritize the incident, and then how the severity definitions affect escalation procedures

    Implementation Examples

Example 1: Comprehensive Incident Management Plan Framework

Example 2: RACI Matrix and Communication Plan Implementation

Resources

Compliance Frameworks

Copyright © 2025 Cloudvisor. Distributed under the MIT license.

Powered by Just the Docs, a documentation theme for Jekyll.