Begin your first half of the plan by focusing on the environmental conditions and coordination mechanisms. Include:
1.    roles and responsibilities
2.    phases of incident response
3.    scenarioprovide an incident response plan in the case of distributed data exfiltration attacks, specifically the case of loss of communications
4.    activities, authorities pertaining to roles and responsibilities
5.    triggering conditions for actions
6.    triggering conditions for closure
7.    reports and products throughout the incident response activity
8.    tools, techniques, and technologies
9.    communications paths and parties involved
10.    coordination paths and parties involved
11.    external partners and stakeholders, and their place in the coordination and communication paths
12.    security controls and tracking
13.    recovery objectives and priorities
Define Incident Response, Part 2
Your team in this step will continue developing the Incident Response Plan. The second half of your report will focus on events and processes of your active response plan. Include the following:
14. incident response checklist. Refer to the NIST Computer Security Incident Handling Guide for an example.
15. data protection mechanisms
16. integrity controls (system integrity checks) after recovery
17. a plan to investigate the network behavior and a threat bulletin that explains this activity
18. defined triggering mechanisms for continuing alerts and notifications throughout the cyber incident
19. additional aspects of the incident response plan necessary to contain a cyber incident on the international domain
20. diagrams of swim lanes of authorities, activities and process flows, coordination and communication paths. Review the Swim Lane Template to familiarize yourself with the concept of swim lanes and swim lane diagrams.