INCIDENT RESPONSE PLAN
[ORGANIZATION NAME]
Classification: Confidential
Document Owner: [CISO/Security Director Name]
Effective Date: [DATE]
Last Reviewed: [DATE]
Next Review Date: [DATE]
TABLE OF CONTENTS
- Executive Summary
- Purpose and Scope
- Incident Response Team
- Incident Classification
- Incident Response Phases
- Communication Protocols
- Legal and Regulatory Requirements
- Documentation Requirements
- Testing and Training
- Plan Maintenance
1. EXECUTIVE SUMMARY
1.1 Purpose Statement
This Incident Response Plan (IRP) establishes the framework for detecting, responding to, containing, eradicating, and recovering from cybersecurity incidents affecting [ORGANIZATION NAME]. This plan aligns with NIST SP 800-61 Rev. 3 and the NIST Cybersecurity Framework 2.0.
1.2 Management Commitment
☐ This plan has been reviewed and approved by executive management
☐ Adequate resources have been allocated for incident response capabilities
☐ The organization commits to regular testing and improvement of this plan
Executive Approval:
Name: _________________________
Title: _________________________
Signature: _________________________
Date: _________________________
2. PURPOSE AND SCOPE
2.1 Purpose
This plan:
- Establishes procedures for identifying, containing, and responding to security incidents
- Defines roles, responsibilities, and communication channels
- Ensures compliance with legal and regulatory notification requirements
- Minimizes damage and reduces recovery time and costs
- Preserves evidence for potential legal proceedings
- Enables continuous improvement through post-incident analysis
2.2 Scope
In Scope:
☐ All information systems owned or operated by [ORGANIZATION NAME]
☐ Cloud-based systems and services
☐ Third-party systems processing organizational data
☐ Employee-owned devices accessing organizational resources (BYOD)
☐ Operational technology (OT) systems
☐ Physical security incidents affecting information assets
Out of Scope:
☐ [SPECIFY EXCLUSIONS]
2.3 Alignment with NIST CSF 2.0
This plan addresses the following NIST CSF 2.0 functions:
| Function | Description | Plan Section |
|---|---|---|
| Govern | Rules and oversight | Sections 2, 3, 10 |
| Identify | Know assets and risks | Section 4 |
| Protect | Security measures | Section 5.1 |
| Detect | Spot unusual activity | Section 5.2 |
| Respond | Act on incidents | Sections 5.3-5.5 |
| Recover | Return to normal | Sections 5.6-5.7 |
3. INCIDENT RESPONSE TEAM
3.1 Team Structure
3.1.1 Core Incident Response Team (IRT)
| Role | Primary Contact | Backup Contact | Contact Information |
|---|---|---|---|
| Incident Response Manager | [NAME] | [NAME] | [PHONE/EMAIL] |
| Security Analyst Lead | [NAME] | [NAME] | [PHONE/EMAIL] |
| Network/Systems Administrator | [NAME] | [NAME] | [PHONE/EMAIL] |
| Forensics Specialist | [NAME] | [NAME] | [PHONE/EMAIL] |
| Communications Lead | [NAME] | [NAME] | [PHONE/EMAIL] |
3.1.2 Extended Team (NIST SP 800-61r3 Recommended)
| Role | Contact | When to Engage |
|---|---|---|
| Executive Sponsor (CEO/COO) | [NAME] | Severity 1-2 incidents |
| Chief Information Security Officer | [NAME] | All incidents |
| Chief Information Officer | [NAME] | Severity 1-3 incidents |
| General Counsel/Legal | [NAME] | Potential legal implications |
| Human Resources | [NAME] | Employee involvement |
| Public Relations | [NAME] | Public disclosure required |
| Finance | [NAME] | Financial impact or fraud |
| Business Unit Leaders | [NAME] | Operational impact |
3.1.3 External Resources
| Resource | Organization | Contact | SLA/Contract |
|---|---|---|---|
| Incident Response Retainer | [FIRM NAME] | [CONTACT] | [CONTRACT #] |
| Forensic Investigation | [FIRM NAME] | [CONTACT] | [CONTRACT #] |
| Legal Counsel (Privacy) | [FIRM NAME] | [CONTACT] | [CONTRACT #] |
| Law Enforcement (FBI) | FBI Cyber Division | [LOCAL OFFICE] | N/A |
| CISA | cisa.gov/report | 1-888-282-0870 | N/A |
| Cyber Insurance | [CARRIER] | [CONTACT] | [POLICY #] |
3.2 Roles and Responsibilities
Incident Response Manager
☐ Overall coordination of incident response activities
☐ Decision authority for containment and eradication actions
☐ Escalation to executive leadership
☐ Authorization of external communications
☐ Final approval of incident closure
Security Analyst Lead
☐ Initial triage and classification of incidents
☐ Technical analysis and investigation
☐ Evidence collection and preservation
☐ Coordination with forensics specialists
☐ Development of containment strategies
Legal Counsel
☐ Assessment of legal and regulatory obligations
☐ Guidance on breach notification requirements
☐ Privilege considerations for investigations
☐ Coordination with law enforcement
☐ Review of external communications
4. INCIDENT CLASSIFICATION
4.1 Incident Categories
| Category | Description | Examples |
|---|---|---|
| Malware | Malicious software infection | Virus, worm, trojan, ransomware, cryptominer |
| Unauthorized Access | Unauthorized system/data access | Account compromise, privilege escalation |
| Denial of Service | Service disruption attacks | DDoS, application-layer attacks |
| Data Breach | Unauthorized data exposure | Exfiltration, accidental disclosure |
| Insider Threat | Malicious or negligent insider | Data theft, sabotage, policy violation |
| Phishing/Social Engineering | Deceptive attacks on users | Spear phishing, business email compromise |
| Physical | Physical security incidents | Theft, tampering, facility breach |
| Supply Chain | Third-party compromise | Vendor breach, software supply chain attack |
4.2 Severity Levels
| Severity | Impact | Description | Response Time | Escalation |
|---|---|---|---|---|
| 1 - Critical | Enterprise-wide | Critical systems unavailable, confirmed data breach affecting >1000 individuals, active attacker in environment, ransomware deployment | Immediate (< 1 hour) | Executive team, Board, Legal, external IR |
| 2 - High | Multiple systems/departments | Significant service disruption, potential data breach, confirmed compromise of sensitive systems | < 4 hours | CISO, Executive sponsor, Legal |
| 3 - Medium | Single system/department | Limited service impact, contained malware, policy violation with potential security impact | < 8 hours | CISO, Department head |
| 4 - Low | Minimal impact | Minor policy violation, unsuccessful attack attempt, isolated incident | < 24 hours | IRT Lead |
4.3 Impact Assessment Criteria
Confidentiality Impact:
☐ Public data only (Low)
☐ Internal/proprietary data (Medium)
☐ Sensitive personal data (PII/PHI) (High)
☐ Classified/regulated data (Critical)
Integrity Impact:
☐ No data modification (Low)
☐ Non-critical data affected (Medium)
☐ Critical data affected (High)
☐ System integrity compromised (Critical)
Availability Impact:
☐ No service disruption (Low)
☐ Non-critical services affected (Medium)
☐ Critical services degraded (High)
☐ Critical services unavailable (Critical)
5. INCIDENT RESPONSE PHASES
5.1 Phase 1: Preparation (GOVERN, IDENTIFY, PROTECT)
5.1.1 Technical Preparation
☐ Security monitoring tools deployed and configured (SIEM, EDR, NDR)
☐ Baseline configurations documented
☐ Network diagrams and asset inventories current
☐ Forensic tools and jump kits ready
☐ Isolated analysis environment available
☐ Backup and recovery capabilities tested
☐ Contact lists and escalation procedures current
5.1.2 Administrative Preparation
☐ Incident response policies approved
☐ Team members trained and certified
☐ Tabletop exercises conducted (at least annually)
☐ Retainer agreements in place with external resources
☐ Cyber insurance policy current
☐ Legal counsel identified and briefed
5.2 Phase 2: Detection and Analysis (DETECT)
5.2.1 Detection Sources
| Source | Monitoring Tool | Alert Threshold |
|---|---|---|
| Security Information and Event Management (SIEM) | [TOOL] | [THRESHOLD] |
| Endpoint Detection and Response (EDR) | [TOOL] | [THRESHOLD] |
| Network Detection and Response (NDR) | [TOOL] | [THRESHOLD] |
| Intrusion Detection/Prevention System | [TOOL] | [THRESHOLD] |
| Email Security Gateway | [TOOL] | [THRESHOLD] |
| User Reports | Help Desk | All reports |
| External Reports | CISA, Vendors, Partners | All reports |
5.2.2 Initial Triage Checklist
☐ Alert received and documented
☐ Initial classification assigned
☐ False positive ruled out
☐ Scope of impact assessed
☐ Affected systems identified
☐ Incident ticket created
☐ Timeline initiated
☐ Appropriate team members notified
5.2.3 Analysis Procedures
Evidence Collection (Maintain Chain of Custody):
☐ Memory capture (if volatile evidence needed)
☐ Disk imaging (forensic copy)
☐ Log collection (system, security, application)
☐ Network traffic capture
☐ Screenshots and documentation
Analysis Questions:
- What happened?
- When did it happen (timeline)?
- How did it happen (attack vector)?
- Who is affected?
- What systems are involved?
- What data may be compromised?
- Is the attack ongoing?
- What is the potential impact?
5.3 Phase 3: Containment (RESPOND)
5.3.1 Containment Strategy Selection
| Strategy | When to Use | Considerations |
|---|---|---|
| Short-term Containment | Immediate threat, active attack | May alert attacker, preserves evidence |
| Long-term Containment | Complex incidents, business continuity | Requires temporary fixes |
| System Isolation | Confirmed compromise, data exfiltration | Service disruption |
| Account Disablement | Credential compromise | User impact |
| Network Segmentation | Lateral movement detected | Operational impact |
5.3.2 Containment Checklist
☐ Containment strategy approved by Incident Response Manager
☐ Business impact of containment assessed
☐ Affected stakeholders notified
☐ Containment actions documented with timestamps
☐ Evidence preserved before containment
☐ Effectiveness of containment verified
☐ Backups isolated/protected
5.4 Phase 4: Eradication (RESPOND)
5.4.1 Eradication Procedures
☐ Root cause identified
☐ All instances of threat removed
☐ Malicious files/code deleted
☐ Compromised accounts disabled/reset
☐ Vulnerabilities patched
☐ Backdoors removed
☐ Clean systems verified
☐ Threat hunting for persistence mechanisms completed
5.4.2 Eradication Verification
☐ Full system scans completed
☐ Log analysis confirms no active threats
☐ Network monitoring shows no suspicious activity
☐ Vulnerability scans completed
☐ Configuration review completed
5.5 Phase 5: Recovery (RECOVER)
5.5.1 Recovery Procedures
☐ Recovery plan developed and approved
☐ Systems restored from clean backups or rebuilt
☐ Data restored and integrity verified
☐ Systems hardened before reconnection
☐ Monitoring enhanced for affected systems
☐ Gradual restoration of services
☐ Business operations validated
☐ Users notified of service restoration
5.5.2 Recovery Verification
☐ All systems functioning normally
☐ Security controls operational
☐ Monitoring confirms no reinfection
☐ Performance baseline achieved
☐ Business processes validated
5.6 Phase 6: Post-Incident Activity (GOVERN)
5.6.1 Lessons Learned Meeting
Meeting should occur within: [X] business days of incident closure
Required Attendees:
☐ All incident responders
☐ Affected business unit representatives
☐ Executive sponsor (for Severity 1-2)
☐ Legal counsel (if applicable)
Discussion Topics:
☐ Timeline review (what happened, when)
☐ What worked well
☐ What could be improved
☐ Detection effectiveness
☐ Response effectiveness
☐ Communication effectiveness
☐ Resource adequacy
☐ Recommended improvements
5.6.2 Post-Incident Report
The post-incident report shall include:
☐ Executive summary
☐ Incident timeline
☐ Root cause analysis
☐ Actions taken
☐ Impact assessment
☐ Lessons learned
☐ Recommendations
☐ Appendices (logs, evidence, communications)
5.7 Phase 7: Continuous Improvement
☐ Incident metrics analyzed
☐ Plan updates implemented
☐ Training updated based on lessons learned
☐ Detection capabilities enhanced
☐ Security controls strengthened
☐ Playbooks updated
6. COMMUNICATION PROTOCOLS
6.1 Internal Communication
6.1.1 Communication Channels
| Severity | Primary Channel | Backup Channel | Update Frequency |
|---|---|---|---|
| 1 - Critical | War room + Phone bridge | Secure messaging | Hourly |
| 2 - High | Video conference | Email + Phone | Every 4 hours |
| 3 - Medium | Phone | Daily | |
| 4 - Low | Ticket system | As needed |
6.1.2 Escalation Matrix
| Condition | Escalate To | Timeframe |
|---|---|---|
| Severity 1 confirmed | Executive team | Immediately |
| Potential data breach | Legal Counsel | Immediately |
| Public disclosure likely | PR/Communications | Within 1 hour |
| Regulatory notification required | Legal + Compliance | Within 4 hours |
| Financial impact >$[X] | CFO | Within 4 hours |
6.2 External Communication
6.2.1 Approval Requirements
| Communication Type | Approval Required |
|---|---|
| Law enforcement notification | CISO + Legal |
| Regulatory notification | Legal + Executive |
| Customer notification | Legal + PR + Executive |
| Public statement/Press release | Legal + PR + CEO |
| Third-party vendor notification | CISO + Legal |
6.2.2 Communication Templates
Template locations: [FILE PATH/SYSTEM]
☐ Internal incident notification
☐ Executive briefing
☐ Board notification
☐ Customer notification (various types)
☐ Regulatory notification
☐ Press statement
☐ Law enforcement report
7. LEGAL AND REGULATORY REQUIREMENTS
7.1 Breach Notification Triggers
A notification may be required when there is unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of the information.
7.2 State Notification Requirements Summary
| State | Notification Deadline | AG Notification Threshold |
|---|---|---|
| California | 30 calendar days (2026) | 500+ residents |
| Colorado | 30 days | 500+ residents |
| Florida | 30 days | 500+ residents |
| New York | Expeditious, no more than reasonable delay | 500+ residents |
| Texas | 60 days | 250+ residents |
| [Additional states as applicable] | [DEADLINE] | [THRESHOLD] |
7.3 Federal Requirements
| Regulation | Requirement | Deadline |
|---|---|---|
| HIPAA (PHI) | HHS notification | 60 days (500+ individuals: immediate media) |
| GLBA (Financial) | FTC/Regulator notification | As soon as practicable |
| SEC (Public Companies) | 8-K filing for material incidents | 4 business days |
| CISA (Critical Infrastructure) | CISA notification | 72 hours (ransomware: 24 hours) |
7.4 Regulatory Contact Information
| Regulator | Contact | When to Notify |
|---|---|---|
| California AG | [[email protected]] | 500+ CA residents |
| HHS (HIPAA) | [hhs.gov/ocr] | PHI breach |
| FTC | [ftc.gov] | GLBA entities |
| SEC | [sec.gov] | Material cyber incidents |
| CISA | [cisa.gov/report] | Critical infrastructure |
7.5 Legal Hold Procedures
Upon determination that litigation or regulatory action is reasonably anticipated:
☐ Legal counsel notified immediately
☐ Legal hold notice issued
☐ Relevant data and systems preserved
☐ Auto-deletion suspended for affected data
☐ Chain of custody established
8. DOCUMENTATION REQUIREMENTS
8.1 Incident Log
All incidents must be logged with the following minimum information:
| Field | Description |
|---|---|
| Incident ID | Unique identifier |
| Date/Time Detected | When the incident was detected |
| Date/Time Reported | When the incident was reported |
| Reporter | Who reported the incident |
| Category | Incident category |
| Severity | Assigned severity level |
| Description | Detailed description |
| Affected Systems | Systems involved |
| Affected Data | Data types potentially compromised |
| Actions Taken | Chronological list of response actions |
| Status | Current status |
| Resolution | How the incident was resolved |
| Root Cause | Determined root cause |
| Lessons Learned | Key takeaways |
8.2 Chain of Custody
Evidence collection must maintain proper chain of custody:
☐ Evidence tag/label with unique identifier
☐ Date and time of collection
☐ Collector name and signature
☐ Description of evidence
☐ Location where evidence was found
☐ Condition of evidence
☐ All transfers documented with signatures
☐ Secure storage location
8.3 Retention Requirements
| Document Type | Retention Period |
|---|---|
| Incident reports | 7 years |
| Evidence | 7 years or until legal matter resolved |
| Communication logs | 7 years |
| Post-incident reports | 7 years |
| Training records | Duration of employment + 3 years |
9. TESTING AND TRAINING
9.1 Testing Schedule
| Test Type | Frequency | Participants | Last Conducted |
|---|---|---|---|
| Tabletop Exercise | Quarterly | IRT + Extended team | [DATE] |
| Technical Drill | Semi-annually | Core IRT | [DATE] |
| Full-scale Exercise | Annually | All stakeholders | [DATE] |
| Red Team Exercise | Annually | IRT (blind) | [DATE] |
9.2 Training Requirements
| Role | Training | Frequency |
|---|---|---|
| All IRT Members | IR fundamentals, plan review | Annually |
| Technical Staff | Forensics, malware analysis, tools | Semi-annually |
| Executives | Tabletop participation, legal obligations | Annually |
| All Employees | Security awareness, phishing recognition | Annually |
9.3 Exercise Scenarios
Recommended exercise scenarios:
☐ Ransomware attack with data exfiltration
☐ Business email compromise and wire fraud
☐ Insider threat and data theft
☐ Nation-state APT compromise
☐ Third-party/supply chain breach
☐ Cloud service provider incident
☐ Physical security breach with cyber impact
10. PLAN MAINTENANCE
10.1 Review Schedule
| Review Type | Frequency | Responsible Party |
|---|---|---|
| Plan content review | Annually | CISO |
| Contact information | Quarterly | IRT Lead |
| Post-incident updates | After each Severity 1-2 | IRT Lead |
| Regulatory updates | As needed | Legal + Compliance |
10.2 Change Control
All changes to this plan must be:
☐ Documented with rationale
☐ Reviewed by CISO
☐ Approved by [APPROVING AUTHORITY]
☐ Communicated to all IRT members
☐ Reflected in version history
10.3 Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial version |
| 2.0 | [DATE] | [NAME] | Updated for NIST SP 800-61r3 |
APPENDICES
Appendix A: Contact List
[Detailed contact list with 24/7 numbers]
Appendix B: System Inventory
[Critical systems list with owners]
Appendix C: Network Diagrams
[Reference to network documentation]
Appendix D: Playbooks
[Links to specific incident playbooks]
Appendix E: Templates
[Communication and documentation templates]
Appendix F: Tool Documentation
[Forensic and analysis tool guides]
DOCUMENT CONTROL
Classification: Confidential
Distribution: [AUTHORIZED RECIPIENTS]
Approval:
| Role | Name | Signature | Date |
|---|---|---|---|
| CISO | |||
| CIO | |||
| General Counsel | |||
| CEO/COO |
This Incident Response Plan is a controlled document. Unauthorized distribution is prohibited. For questions, contact [SECURITY TEAM EMAIL].
About This Template
Jurisdiction-Specific
This template is drafted for general use across all U.S. jurisdictions. State-specific versions with local statutory references are also available.
How It's Made
Drafted using current statutory databases and legal standards for compliance regulatory. Each template includes proper legal citations, defined terms, and standard protective clauses.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: February 2026