The Incident Response Plan should include the following items: policies on when to shut down an affected server and when to quarantine it, and information on how to contact vendors, company executives, and response team members, as well as ISP and law enforcement officials.
The plan should also outline logs to keep and steps to be performed to track the hacker's activities and location, such as performing a trace route or using software such as Tripwire Security Systems' Tripwire to perform a comparison. Additionally, the plan should discuss how to contact parties affected by the attack. Keep in mind, too, that an Incident Response Plan varies widely from company to company and should be developed with input from aall involved parties.
Attacks are inevitable, so what you do with them matters a great deal. A poor response to an attack can become a PR nightmare. But with a little planning and foresight, responding to security breaches can become just another standard procedure.