Organizations should have the mindset “when we get breached” not “if we get breached” as the occurrence of most incidents cannot be determined, and a plan should be in place to ensure a coordinated effort of response activities. An incident response (IR) plan should contain roles and responsibilities and should list members (and alternatives) of a Security Incident Response Team (SIRT). Additionally, IR playbooks should be in place for various incident types. Incident handling should follow industry standard (i.e. Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned (PICERL)).