Any recommendations for a Incident Response Policy and Procedures template?
I'm building a cyber program from scratch.
Any guidance is appreciated.
NIST, SANS, all have rather comprehensive documentations and templates on IRT.
Also check out ITIL- Service Operation, on incident management, a fairly concise guideline on incident and response process, including a good diagram on the flow.
As stated by others, the NIST Special Publication 800-61 Revision 2 is a good starting point. You can find it here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
If you have any workloads in the cloud you will need to adapt to account for any shared responsibilities/CSP requirements.
An alternative you could look at is ISO 27035, as a top level approach. It'll also make sense to outline a playbook for each general type of incident.
You'll need to determine if you can have a permanent CSIRT or if you'll need to pull together a virtual CSIRT at the point of detecting major incident. This will probably depend on your organisations business and its resource budget. vCSIRT can work, but can also be problematic as getting the time to train and rehearse when there is actually an incident can be a tough ask with the members line management. A common solution is to have first call on staff from your SoC or pay a retainer to a third party for first responders.
I found that this thread did not have any answer and therefore would like to put my thoughts.
NIST's Cyber Security Maturity Assessment Framework can be a good start as it has a dedicated domain on Incident Management life cycle. In addition, inputs from well known security standards such as ISO 27001 and PCI DSS (current version 4.0) should also be considered.
Policy which is a high level document must be specific to the organization, the business units, operating environment and in line with the risk appetite of the organization.
Hope this helps.