Remediation of detected threats when the notification comes from outside your organization

I've been tasked with responding with a policy & procedures walk-thru for "what do we do when we have been informed that we have a threat in-house".

I'm looking for documentation that would give better sample responses than whitepapers that say "use us and we will remediate your threat for you"...

I am aware of (and am investigating IDS type tools), but I am working from the premise that *something* got inside the enterprise; now how to find it and eradicate it...

I'm working from

1. Escalate security on a deep-packet device like a sonicwall.
2. run a in-depth manual scan of all servers and workstations.
3. add realtime packet inspection to more of the services (looking for traffic).
4. then... remediate and clean as necessary.

Thoughts/suggestions?