{"id":7006,"date":"2018-06-11T20:41:40","date_gmt":"2018-06-11T20:41:40","guid":{"rendered":"https:\/\/www.reclaimhosting.com\/?page_id=7006"},"modified":"2026-03-12T11:47:27","modified_gmt":"2026-03-12T15:47:27","slug":"incident-response-plan","status":"publish","type":"page","link":"https:\/\/www.reclaimhosting.com\/contracts\/incident-response-plan\/","title":{"rendered":"Incident Response Plan"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"7006\" class=\"elementor elementor-7006\" data-elementor-post-type=\"page\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6378092d elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6378092d\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3d07a4f7\" data-id=\"3d07a4f7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-31899353 elementor-widget elementor-widget-spacer\" data-id=\"31899353\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-11e36a62 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"11e36a62\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-wider\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-21dd02b1\" data-id=\"21dd02b1\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5d35b867 elementor-widget elementor-widget-text-editor\" data-id=\"5d35b867\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><a href=\"https:\/\/www.reclaimhosting.com\/contracts\/\"><span style=\"text-decoration: underline;\"><em>\u2190 Back to\u00a0Contracts Quick Links<\/em><\/span><\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5f8098f7 elementor-align-center elementor-widget elementor-widget-button\" data-id=\"5f8098f7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/drive.google.com\/file\/d\/1Tf6C7l4VefffiB6z7OXKrb2aoqfbr7L4\/view?usp=sharing\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Download .PDF Version of Incident Response Plan<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-199cda75 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"199cda75\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-65b9ced5 elementor-align-center elementor-widget elementor-widget-button\" data-id=\"65b9ced5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/www.reclaimhosting.com\/contracts\/sso-integration\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">SSO Integration<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1491d8dd elementor-align-center elementor-widget elementor-widget-button\" data-id=\"1491d8dd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/www.reclaimhosting.com\/contracts\/data-processing-agreement\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Data Processing Agreement<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e008696 elementor-align-center elementor-widget elementor-widget-button\" data-id=\"e008696\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/www.reclaimhosting.com\/contracts\/standard-sla\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Standard SLA<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-4d052be8\" data-id=\"4d052be8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3ba33bd2 elementor-widget elementor-widget-heading\" data-id=\"3ba33bd2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Incident Response Plan<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6904336 elementor-widget elementor-widget-spacer\" data-id=\"6904336\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-48af5a82 elementor-widget elementor-widget-text-editor\" data-id=\"48af5a82\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">This document discusses the steps taken by Reclaim Hosting and associated data owners during an approved incident.<\/span><\/p><ol><li class=\"numberHeading\">The person who discovers the incident will notify within 24 hours senior personnel at Reclaim Hosting. The following information will be gathered as an initial incident report is created:<ul><li><span style=\"font-weight: 400;\">The name of the notifier or affected user.<\/span><\/li><li><span style=\"font-weight: 400;\">Time of the ticket.<\/span><\/li><li><span style=\"font-weight: 400;\">Contact information about the ticket\/affected user.<\/span><\/li><li><span style=\"font-weight: 400;\">The nature of the incident.<\/span><\/li><li><span style=\"font-weight: 400;\">What equipment or persons were involved?<\/span><\/li><li><span style=\"font-weight: 400;\">Location of equipment or persons involved.<\/span><\/li><li><span style=\"font-weight: 400;\">How the incident was detected.<\/span><\/li><li><span style=\"font-weight: 400;\">When the event was first noticed that supported the idea that the incident occurred.<\/span><\/li><\/ul><\/li><li class=\"numberHeading\">The IT staff member or affected department staff member who receives the ticket (or discovered the incident) will refer to the System Security Plan for both management personnel to be contacted and incident response members to be contacted. The staff member will alert those designated on the list. The staff member will contact the incident response manager using both email and phone messages, as well as official incident response channels, while being sure other appropriate and backup personnel and designated managers are contacted.<ul><li><span style=\"font-weight: 400;\">Is the equipment affected business critical?<\/span><\/li><li><span style=\"font-weight: 400;\">What is the severity of the potential impact?<\/span><\/li><li><span style=\"font-weight: 400;\">Name of system being targeted, along with operating system, IP address, and location.<\/span><\/li><li><span style=\"font-weight: 400;\">IP address and any information about the origin of the attack. <\/span><\/li><\/ul><\/li><li class=\"numberHeading\"><span style=\"font-weight: 400;\">Contacted members of the response team will meet or discuss the situation over the telephone and determine a response strategy. <\/span><ul><li><span style=\"font-weight: 400;\">Is the incident real or perceived?<\/span><\/li><li><span style=\"font-weight: 400;\">Is the incident still in progress?<\/span><\/li><li><span style=\"font-weight: 400;\">What data or property is threatened and how critical is it?<\/span><\/li><li><span style=\"font-weight: 400;\">What is the impact on the business should the attack succeed? Minimal, serious, or critical?<\/span><\/li><li><span style=\"font-weight: 400;\">What system or systems are targeted, where are they located physically and on the network?<\/span><\/li><li><span style=\"font-weight: 400;\">Is the incident inside the trusted network?<\/span><\/li><li><span style=\"font-weight: 400;\">Is the response urgent?<\/span><\/li><li><span style=\"font-weight: 400;\">Can the incident be quickly contained?<\/span><\/li><li><span style=\"font-weight: 400;\">Will the response alert the attacker and do we care?<\/span><\/li><li><span style=\"font-weight: 400;\">What type of incident is this? Example: virus, worm, intrusion, abuse, damage. <\/span><\/li><\/ul><\/li><li class=\"numberHeading\">An incident ticket will be created. The incident will be categorized into the highest applicable level of one of the following categories:<ul><li><span style=\"font-weight: 400;\">Category one &#8211; A threat to public safety or life.<\/span><\/li><li><span style=\"font-weight: 400;\">Category two &#8211; A threat to sensitive data<\/span><\/li><li><span style=\"font-weight: 400;\">Category three &#8211; A threat to computer systems<\/span><\/li><li><span style=\"font-weight: 400;\">Category four &#8211; A disruption of services <\/span><\/li><\/ul><\/li><li class=\"numberHeading\"><span style=\"font-weight: 400;\">Team members will establish and follow one of the following security playbooks basing their response on the incident assessment: <\/span><ul><li><span style=\"font-weight: 400;\">Worm response procedure<\/span><\/li><li><span style=\"font-weight: 400;\">Virus response procedure<\/span><\/li><li><span style=\"font-weight: 400;\">System failure procedure<\/span><\/li><li><span style=\"font-weight: 400;\">Active intrusion response procedure &#8211; Is critical data at risk?<\/span><\/li><li><span style=\"font-weight: 400;\">Inactive Intrusion response procedure<\/span><\/li><li><span style=\"font-weight: 400;\">System abuse procedure<\/span><\/li><li><span style=\"font-weight: 400;\">Property theft response procedure<\/span><\/li><li><span style=\"font-weight: 400;\">Website denial of service response procedure<\/span><\/li><li><span style=\"font-weight: 400;\">Database or file denial of service response procedure<\/span><\/li><li><span style=\"font-weight: 400;\">Spyware response procedure.<\/span><\/li><\/ul><\/li><\/ol><p>\u00a0<\/p><p><span style=\"font-weight: 400;\">The team may create additional playbooks which are not foreseen in this document. If there is no applicable playbook in place, the team must document what was done and later establish a procedure for the incident. <\/span><\/p><ol><li><span style=\"font-weight: 400;\">Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization. <\/span><\/li><li><span style=\"font-weight: 400;\">Team members will recommend changes to prevent the occurrence from happening again or infecting other systems. <\/span><\/li><li><span style=\"font-weight: 400;\">Upon management approval, the changes will be implemented. <\/span><\/li><li><span style=\"font-weight: 400;\">Team members will restore the affected system(s) to the uninfected state. They may do any or more of the following:<\/span><ul><li><span style=\"font-weight: 400;\">Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this.<\/span><\/li><li><span style=\"font-weight: 400;\">Make users change passwords if passwords may have been sniffed.<\/span><\/li><li><span style=\"font-weight: 400;\">Be sure the system has been hardened by turning off or uninstalling unused services.<\/span><\/li><li><span style=\"font-weight: 400;\">Be sure the system is fully patched.<\/span><\/li><li><span style=\"font-weight: 400;\">Be sure real-time virus protection and intrusion detection is running.<\/span><\/li><li><span style=\"font-weight: 400;\">Be sure the system is logging the correct events and to the proper level. <\/span><\/li><\/ul><\/li><li><span style=\"font-weight: 400;\">Documentation\u2014the following shall be documented: <\/span><ul><li><span style=\"font-weight: 400;\">How the incident was discovered.<\/span><\/li><li><span style=\"font-size: 1rem;\">The category of the incident.<\/span><\/li><li><span style=\"font-weight: 400;\">How the incident occurred, whether through email, firewall, etc.<\/span><\/li><li><span style=\"font-weight: 400;\">Where the attack came from, such as IP addresses and other related information about the attacker.<\/span><\/li><li><span style=\"font-weight: 400;\">What the response plan was.<\/span><\/li><li><span style=\"font-weight: 400;\">What was done in response?<\/span><\/li><li><span style=\"font-weight: 400;\">Whether the response was effective. <\/span><\/li><\/ul><\/li><li><span style=\"font-weight: 400;\">Evidence Preservation\u2014make copies of logs, email, and other communication. Keep lists of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in case of an appeal. <\/span><\/li><li><span style=\"font-weight: 400;\">Notify proper external agencies\u2014notify the police and other appropriate agencies if prosecution of the intruder is possible. List the agencies and contact numbers here. <\/span><\/li><li><span style=\"font-weight: 400;\">Assess damage and cost\u2014assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts. <\/span><\/li><li><span style=\"font-weight: 400;\">Review response and update policies\u2014plan and take preventative steps so the intrusion can&#8217;t happen again. <\/span><ul><li><span style=\"font-weight: 400;\">Consider whether an additional policy could have prevented the intrusion.<\/span><\/li><li><span style=\"font-weight: 400;\">Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future.<\/span><\/li><li><span style=\"font-weight: 400;\">Was the incident response appropriate? How could it be improved?<\/span><\/li><li><span style=\"font-weight: 400;\">Was every appropriate party informed in a timely manner?<\/span><\/li><li><span style=\"font-weight: 400;\">Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved?<\/span><\/li><li><span style=\"font-weight: 400;\">Have changes been made to prevent a re-infection? Have all systems been patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.?<\/span><\/li><li><span style=\"font-weight: 400;\">Have changes been made to prevent a new and similar infection?<\/span><\/li><li><span style=\"font-weight: 400;\">Should any security policies be updated?<\/span><\/li><li><span style=\"font-weight: 400;\">What lessons have been learned from this experience? <\/span><\/li><\/ul><\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-433fd064 elementor-align-center elementor-widget elementor-widget-button\" data-id=\"433fd064\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/drive.google.com\/file\/d\/1Tf6C7l4VefffiB6z7OXKrb2aoqfbr7L4\/view?usp=sharing\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Download .PDF Version<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>\u2190 Back to\u00a0Contracts Quick Links Download .PDF Version of Incident Response Plan SSO Integration Data Processing Agreement Standard SLA Incident Response Plan This document discusses the steps taken by Reclaim Hosting and associated data owners during an approved incident. The person who discovers the incident will notify within 24 hours senior personnel at Reclaim Hosting. &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.reclaimhosting.com\/contracts\/incident-response-plan\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Incident Response Plan&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":34166,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"elementor_header_footer","meta":{"footnotes":""},"class_list":["post-7006","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.reclaimhosting.com\/wp-json\/wp\/v2\/pages\/7006","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.reclaimhosting.com\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.reclaimhosting.com\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.reclaimhosting.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.reclaimhosting.com\/wp-json\/wp\/v2\/comments?post=7006"}],"version-history":[{"count":36,"href":"https:\/\/www.reclaimhosting.com\/wp-json\/wp\/v2\/pages\/7006\/revisions"}],"predecessor-version":[{"id":45229,"href":"https:\/\/www.reclaimhosting.com\/wp-json\/wp\/v2\/pages\/7006\/revisions\/45229"}],"up":[{"embeddable":true,"href":"https:\/\/www.reclaimhosting.com\/wp-json\/wp\/v2\/pages\/34166"}],"wp:attachment":[{"href":"https:\/\/www.reclaimhosting.com\/wp-json\/wp\/v2\/media?parent=7006"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}