What is NOT typically included in an Incident Response Plan (IRP)?

A. Communication Protocols
B. Digital Forensics
C. Encryption Algorithms
D. Recovery Strategies

Answer: C

Explanation:

A. Communication Protocols

During a crisis, clear communication is the difference between a controlled response and total chaos.  

• The Content: The IRP defines who needs to be notified (Legal, HR, PR, Management), how they should be reached (out-of-band communication like Signal or phone calls), and what information can be shared with the public.  

• The Importance: It prevents "leaks" and ensures that the Incident Response Team (IRT) isn't interrupted by constant status requests from stakeholders.

B. Digital Forensics

Digital forensics is the process of uncovering and interpreting electronic data.  

• The Content: The IRP includes "Chain of Custody" procedures and guidelines for the preservation of evidence.  This ensures that if the incident leads to legal action, the evidence gathered (disk images, memory dumps) is admissible in court. 

• The Goal: To understand the "who, what, when, where, and how" of an incident without contaminating the crime scene.

C. Encryption Algorithms

This is the correct answer because encryption is a Preventive Control defined in the Architecture and Engineering (Domain 3) standards.  

• Why it's the Answer: While an IR team might use encrypted channels to communicate, the specific mathematical algorithms (like AES-256 or RSA) are part of the organization's high-level Security Policy or Technical Standards. An IRP is about action and coordination, not the underlying mathematics of data protection.

D. Recovery Strategies

Recovery is the phase where systems are restored to normal operation.

• The Content: The IRP outlines how to validate that the systems are clean, how to restore data from backups, and how to monitor the environment for any signs of the threat returning.  

• The Goal: To transition from the "Emergency" state back to the "Business as Usual" state defined in the BCP.