What is a security incident response plan?

A security incident response plan (IRP) is a documented set of procedures for detecting, responding to, and recovering from cybersecurity incidents. Phases (NIST framework): (1) Preparation: establish the CSIRT (Computer Security Incident Response Team), define roles, deploy tools (SIEM, EDR), create playbooks for common scenarios (ransomware, data breach, insider threat), conduct tabletop exercises. (2) Detection and Analysis: monitor for incidents, triage alerts, determine scope and severity, preserve evidence. (3) Containment: short-term (isolate affected systems), long-term (apply fixes to prevent re-infection). (4) Eradication: remove malware, patch vulnerabilities, change compromised credentials. (5) Recovery: restore systems from clean backups, verify integrity, monitor for recurrence. (6) Post-incident Activity: root cause analysis, lessons learned, update defenses. Key metrics: MTTD, MTTR. Legal obligations: GDPR 72-hour breach notification, HIPAA, industry-specific requirements. Practice the plan — simulate incidents quarterly.