A good incident response plan results in the following response actions matrix. It maps responders to actions to incident types.

For any given incident type, for example, Improper Internet usage, it helps to consider the following:
•  Who should be involved?
•  What actions must they perform?
•  What actions might they perform?
•  What artifacts might be collected?
•  What about forensic analysis?

Of course, tools, especially forensic tools change and evolve, so the action should be defined generically. And for the specialists that may participate consider the criteria for their involvement:
•  Should Human Resources participate? Under what circumstances?
•  Should legal be notified? Tasked? Under what circumstances?
•  What other specialists play a role?

After a draft list of actions is developed, then consider priority – when is this action required or appropriate? Then consider policy – what approvals are required, what rules must be followed? What other issues are associated with an action?

As you consider additional incidents, new actions may be identified, but previously defined action may also apply. For low impact incidents, minimal activities are required to document and close out the incident. For higher priority incidents, additional actions may be required to fully understand and resolve the incident. Ultimately, the following matrix is developed with three dimensions: Incident types, functional team (or swim lane), and actions differentiated by priority.

The response action matrix provides the basis for estimating effort, establishing a budget, and aligning the response plan with business value.