Estimated time: 45 min


The idea behind this activity is to complement policies revealed previously as preventive strategies along with the development of procedures to be applied during security incidents such as reactive strategies pursuing to mitigate impact of threats once they have been implemented. Specifically, this activity seeks to abstract the concepts of procedures, training, communications plans, succession plans and arrangement activities in a single dynamic serving as an introduction to the area of incident response developed in the information security literature.

Input data

  • Risk matrix



  • Initial security procedure for one or two selected scenarios. Indirect
  • Instruments to develop any other security procedure missing from the organization.
  • Better understanding of the relevance of internal, external communications and the succession of responsibilities during attention of security incidents.

Previous planning

  • In case of carrying out the activity in digital, it is suggested to have a spreadsheet or other software with all the necessary fields and formats.


In case of doing the activity on paper:

  • Post-its or sticky notes (pied) and markers or
  • Large pieces of paper to stick on the wall and markers. In case of doing the activity in digital equipment:
  • Computer.
  • Spreadsheet ready to fill, showing the headings with stakeholder categories.


  1. Check risk matrix raised in the previous activity and select one or two threats considered relevant to raise security procedures.
    • It is natural that there are threats depending highly on the personnel or external allies for their resolution, although it is desirable they are resolvable threats to a greater extent by the same members of the organization.
  2. For each threat, which from now on will be treated as security incidents since procedures for its occurrence will be prepared, make a brainstorm of actions that should be taken as steps, write down each one on sticky notes, put them on paper or onto the wall, then reorder as new steps are added. As an aid to the group, usually actions taken in a procedure follow:
    • Minimize the damage.
    • Clean remaining artifacts from the incident.
    • Resume activities as soon as possible.


    Steps for the procedure

  3. For each step ask the group who would execute the procedure. Write down on a sticky note and place it in a second column on the wall next to the step in issued, you also can ask the group who would supply this responsible person in case that is not present during the incident. If applies, take note and place these substitutes below the principal responsible as shown in the graph.


    Responsibles for each step

  4. With consent in the group on the steps of the procedure to take, ask at what point should establish communication with the organization’s external stakeholders. The idea behind this is to write down these mentioned communication points as new steps (ideally in a different color) in order to include them into steps of the procedure by rearranging the existing ones.
    • These communications are normally mandatory or highly desirable to resolve the incident, such as networks of allies, external suppliers, etc.
    • It is possible that in the same dynamic of the activity, this communications map developed in step 2 has been advanced naturally. In that case, by completing any missing communication and continuing would be enough.
    • For each step related to external communications, verify that it always appears who would be contacted, either in the step or in the person in charge.


    Steps to the communication plan

  5. Create a third column with the heading “requirement” and for each step ask the team What do I need to guarantee BEFORE the incident occurs so that this step can be fulfilled?. Take note of each requirement on a sticky note and place it next to the corresponding step, it is natural that some steps have no associated requirement actions. Some common examples of requirement are:
    • That A has the contact of B external consultant.
    • C knows how to turn off the internal server.
    • Everyone knows how to erase information safely.


    Previous preparation for the procedure

  6. Discuss with the group How would they communicate with each other during the resolution of the incident? Guide the discussion about which channels are considered safe and reliable to keep the group informed during the incident, as well as which ones would be used formally during this one type of incident. It is suggested to take note of these channels and list them in order of priority in case the first one fails during the incident.
    • It is worth remembering that different incidents can affect different communication channels.
  7. Suggest the team to empty the information collected during this activity in a formal document. You can use the template 4 available on the website of this material (


Internal communication order

Closure of the activity

At the end of the activity you can discuss and emphasize what has been achieved:

  • Real procedures were developed for specific incidents.
  • Steps of the procedure were associated with responsible personnel and successors.
  • External communication plan procedure was integrated.
  • Internal communication bases were established during incidents.
  • Steps to build security procedures with methodology were explored.

After the activity is over, it is worth proposing to the group subsequently any incident happened, to hold a subsequent meeting where the team will at least ask the following questions:

  • What happened and at what time?
  • How well did the team respond to the incident?
  • Were the procedures followed? Were they adequate?
  • Were there steps or actions taken that inhibited the recovery of the incident?
  • What would the team do differently if something similar happens in the future?
  • What corrective actions can prevent similar incidents in the future?
  • What indicators should be revised in the future to detect similar incidents?
  • What instruments or resources are needed to analyze, detect and mitigate future incidents?