Incident Response Planning

How do i know there is an incident?

  • You might be experiencing a Malware attack if you suddenly experience a higher volume of emails being sent or received; unusual items on your screen (graphics/messages); programs start slowly, run slowly, or not at all; system instability or crashes; deleted, corrupted, or inaccessible files.
  • You might be experiencing a Ransomware attack (a subset of malware) if you see messages that indicate that your files are inaccessible (encrypted or blocked) unless you pay an allotted ransom.
  • You might be experiencing a Denial of Service (DoS) attack if you have unexplained network connection losses; network and host intrusion detection alerts; increased network bandwidth utilization.
  • You might be experiencing Unauthorized Access if you see modifications to critical files (e.g. Web pages); use of idle accounts; unexpected activity from user accounts; direct messages from an attacker claiming that they have accessed your system.


Incident response planning guidance & templates


If you’re looking for a way to improve your planning of what to do BEFORE an incident occurs, check out the template below and associated documents. Thank you to Rule4 for putting the template together!



See the Colorado Office of Information & Technology’s Incident Response template. Again, incident response planning is not one-size-fits-all. Take elements of what works best for you and make it your own!

Another template to review is the Colorado North Central FEMA Region Incident Response Template.

CISA Incident Response Playbooks

See CISA’s set of Incident Response Playbooks for different phases of the IR process. Although these are playbooks for federal agencies, the best practices apply to all levels of government