Incident Response SOP¶

Standard Operating Procedure for incident response planning and execution

Service Pillar: Protect Service Category: Incident Response Target Duration: Varies by engagement type Related Pricing: See Pricing & Positioning

Service Overview¶

Purpose¶

Provide incident response planning, testing, and execution services to help organizations prepare for, detect, contain, and recover from security incidents.

Service Types¶

Service	Description	Engagement Type
IR Plan Development	Create comprehensive IR plan	Project-based
IR Plan Review	Assess existing IR capabilities	Assessment
Tabletop Exercise	Scenario-based IR testing	Workshop
IR Retainer	On-call incident response	Retainer
Active IR	Respond to live incident	Emergency

Target Personas¶

Persona	Primary Pain Point	Value Case
Solo IT Director	No IR plan, overwhelmed in crisis	Expert backup when it matters
Healthcare Admin	HIPAA breach requirements	Breach notification compliance
Managing Partner (Legal)	Client data protection, liability	Minimize breach impact

Business Justification¶

Metric	Value	Source
Average breach cost	$4.88 million	IBM Cost of a Data Breach 2024
Cost savings with IR team/testing	$2.66 million	IBM 2024
Average breach detection time	194 days	IBM 2024
Average breach containment time	64 days	IBM 2024
Cost difference: <200 day detection	23% lower cost	IBM 2024
Organizations with tested IR plan	<40%	Ponemon Institute

Pricing Reference¶

Service	Scope	Price Range	Duration
IR Plan Development	Full plan creation	$15,000-$30,000	4-6 weeks
IR Plan Review	Assessment of existing plan	$5,000-$10,000	1-2 weeks
Tabletop Exercise	Single scenario exercise	$5,000-$10,000	Half-day session
IR Retainer	On-call availability	$3,000-$8,000/month	Monthly retainer
Active IR	Live incident response	$300-$400/hour	As needed

See Pricing & Positioning for complete pricing structure.

IR Plan Development¶

Pre-Engagement¶

Qualification Checklist¶

Executive sponsor identified
Current IR documentation gathered
Key stakeholders available
Compliance requirements identified
Legal counsel access confirmed
Insurance carrier requirements known

Required Information¶

Category	Information Needed
Organizational	Org chart, contact information, escalation paths
Technical	Asset inventory, network diagrams, logging capabilities
Regulatory	Compliance requirements, notification timelines
Legal	Outside counsel, privilege considerations
Insurance	Cyber liability policy, carrier contacts
Vendors	Forensics, PR, notification services

Plan Components¶

Core Plan Sections¶

Section	Content	Purpose
Purpose and Scope	Plan objectives, applicability	Define boundaries
Roles and Responsibilities	IR team structure, RACI	Accountability
Incident Classification	Severity levels, criteria	Appropriate response
Response Phases	Preparation through post-incident	Structured process
Communication Plan	Internal/external communication	Coordinated messaging
Regulatory Requirements	Notification timelines, requirements	Compliance
Contact Lists	Internal and external contacts	Quick access
Playbooks	Scenario-specific procedures	Tactical guidance

Incident Classification¶

Severity	Definition	Response Time	Escalation
Critical	Active data breach, ransomware, business impact	Immediate	Executive, Legal, Board
High	Compromised systems, potential data exposure	4 hours	CISO, IT Leadership
Medium	Contained malware, suspicious activity	24 hours	Security Team
Low	Policy violations, minor security events	72 hours	IT Support

Response Phase Framework (NIST)¶

┌─────────────┐   ┌─────────────┐   ┌─────────────┐   ┌─────────────┐   ┌─────────────┐
│ PREPARATION │ → │ DETECTION & │ → │ CONTAINMENT │ → │ ERADICATION │ → │  RECOVERY   │
│             │   │  ANALYSIS   │   │             │   │             │   │             │
└─────────────┘   └─────────────┘   └─────────────┘   └─────────────┘   └─────────────┘
                                                                               ↓
                                                                    ┌─────────────────┐
                                                                    │ POST-INCIDENT   │
                                                                    │ ACTIVITY        │
                                                                    └─────────────────┘

Plan Development Process¶

Phase 1: Assessment (Week 1-2)¶

Activity	Deliverable	Duration
Stakeholder interviews	Current state understanding	3 days
Documentation review	Gap identification	2 days
Regulatory analysis	Compliance requirements	1 day
Threat assessment	Relevant scenarios	2 days

Phase 2: Plan Development (Week 2-4)¶

Activity	Deliverable	Duration
Core plan drafting	IR Plan document	5 days
Communication plan	Messaging templates	2 days
Playbook development	Scenario playbooks	3 days
Contact list compilation	Contact directory	1 day

Phase 3: Review and Finalization (Week 4-6)¶

Activity	Deliverable	Duration
Legal review	Privileged document structure	3 days
Stakeholder review	Feedback incorporation	3 days
Final documentation	Complete IR plan	2 days
Training session	Team enablement	0.5 day

Scenario Playbooks¶

Standard Playbooks Included¶

Scenario	Key Actions	Regulatory Considerations
Ransomware	Isolation, decision tree, negotiation guidance	Law enforcement notification
Data Breach	Scope determination, notification assessment	HIPAA, CCPA, state laws
Business Email Compromise	Account remediation, wire fraud response	Financial notification
Insider Threat	HR coordination, evidence preservation	Employment law
DDoS Attack	Mitigation, service restoration	Customer communication
Malware Infection	Containment, cleanup, recovery	Varies by data exposure

Playbook Structure¶

## [Scenario Name] Playbook

### Indicators
- [Signs of this incident type]

### Initial Response (First 30 minutes)
1. [Immediate actions]
2. [Escalation triggers]
3. [Initial containment]

### Investigation
1. [Evidence collection]
2. [Scope determination]
3. [Root cause analysis]

### Containment & Eradication
1. [Containment actions]
2. [Removal procedures]
3. [Validation steps]

### Recovery
1. [System restoration]
2. [Verification steps]
3. [Monitoring requirements]

### Post-Incident
1. [Documentation requirements]
2. [Notification decisions]
3. [Lessons learned]

### Contacts
- [Scenario-specific contacts]

Tabletop Exercise¶

Exercise Design¶

Scenario Development¶

Element	Description
Realistic scenario	Based on likely threats for client industry
Injects	Evolving situation updates during exercise
Decision points	Require participant choices
Complexity	Appropriate for team maturity

Standard Scenarios¶

Scenario	Suitable For	Duration
Ransomware attack	All organizations	2-3 hours
Data breach notification	Healthcare, financial	2-3 hours
Business email compromise	Finance teams	1.5-2 hours
Third-party compromise	Organizations with vendors	2-3 hours
Insider threat	Larger organizations	2-3 hours

Exercise Execution¶

Participants¶

Role	Purpose
Executive sponsor	Final decision authority
IT/Security leadership	Technical response
Legal counsel	Legal/regulatory guidance
Communications/PR	Messaging coordination
HR	Employee-related issues
Business unit leaders	Operational impact
Facilitator (SBK)	Exercise management

Agenda¶

Phase	Duration	Activity
Introduction	15 min	Objectives, ground rules, scenario overview
Exercise	90-120 min	Scenario presentation, discussion, decisions
Inject responses	Included	Evolving situation management
Debrief	30 min	Immediate observations, key learnings
After-action	Post-exercise	Formal findings and recommendations

Exercise Deliverables¶

Deliverable	Content
Exercise report	Scenario, observations, recommendations
Gap analysis	Identified weaknesses
Action items	Prioritized improvements
Updated plan	Revisions based on findings

IR Retainer¶

Retainer Services¶

Tier	Monthly Fee	Response Time	Included Hours
Bronze	$3,000	8 hours	5 hours/month
Silver	$5,000	4 hours	10 hours/month
Gold	$8,000	2 hours	20 hours/month

Retainer Benefits¶

Benefit	Description
Guaranteed response	SLA-backed response times
Relationship	Pre-established team familiarity
Planning hours	Quarterly plan review/update
Reduced rates	Discounted active IR rates
Priority access	Jump the queue during incidents

Retainer Activation¶

Step	Action	Timeline
1	Client contacts SBK hotline	T+0
2	Initial triage call	Within SLA
3	Response scope determination	T+1 hour
4	Response team deployment	Per severity

Active Incident Response¶

Emergency Response Process¶

Initial Notification¶

Information Needed	Purpose
Incident description	Understanding situation
Business impact	Severity determination
Actions taken	Current state
Key contacts	Communication
Environment info	Response planning

Response Phases¶

Phase 1: Triage (First 2-4 hours)¶

Activity	Deliverable
Situation assessment	Incident classification
Scope determination	Affected systems/data
Containment decisions	Immediate actions
Resource planning	Response team needs

Phase 2: Investigation (Hours 4-48)¶

Activity	Deliverable
Evidence collection	Forensic images, logs
Threat analysis	Attack vector, IOCs
Scope refinement	Complete impact assessment
Legal coordination	Privilege establishment

Phase 3: Containment (Concurrent)¶

Activity	Deliverable
Threat isolation	Contained environment
Credential remediation	Secure access
Network segmentation	Limited spread
Monitoring enhancement	Detection of spread

Phase 4: Eradication¶

Activity	Deliverable
Malware removal	Clean systems
Vulnerability remediation	Attack vector closure
Backdoor elimination	Persistence removal
Validation	Confirmed clean

Phase 5: Recovery¶

Activity	Deliverable
System restoration	Operational systems
Data recovery	Restored data
Monitoring	Enhanced detection
Validation	Confirmed stability

Phase 6: Post-Incident¶

Activity	Deliverable
Timeline documentation	Incident chronology
Root cause analysis	Attack understanding
Lessons learned	Improvement opportunities
Regulatory assessment	Notification decisions

Notification Requirements¶

Regulatory Notification Matrix¶

Framework	Threshold	Timeline	Authority
HIPAA	Unsecured PHI	60 days (individuals), 60 days (HHS)	HHS OCR
State Breach Laws	PII exposure	30-90 days (varies)	State AG
CCPA	CA resident PII	Without unreasonable delay	CA AG
GDPR	EU data subject	72 hours (DPA)	Supervisory Authority
SEC	Material breach	4 business days	SEC
NYDFS	Cybersecurity event	72 hours	NYDFS

Notification Decision Framework¶

1. Was there unauthorized access to data?
   ├── No → Document, monitor, no notification
   └── Yes → Continue ↓

2. What data was accessed?
   ├── No sensitive data → Low risk, document
   └── Sensitive data (PII, PHI, financial) → Continue ↓

3. Is harm likely to result?
   ├── No (encrypted, quickly contained) → Document, risk assessment
   └── Yes → Notification likely required ↓

4. Consult legal counsel
   └── Determine specific notification requirements

Quality Assurance¶

IR Plan Review Checklist¶

All NIST IR phases addressed
Roles and responsibilities clear
Contact information current
Regulatory requirements covered
Communication templates included
Playbooks scenario-appropriate
Legal review completed

Tabletop Exercise Checklist¶

Service	Connection	SOP Reference
Managed SOC	Detection capability	managed-soc-sop.md
Vulnerability Management	Attack surface reduction	vulnerability-management-sop.md
Penetration Testing	Proactive vulnerability ID	pentest-sop.md
vCISO	Ongoing security leadership	vcto-vciso-engagement-sop.md

Evidence Base¶

Why This Approach Works¶

Principle	Evidence	Source
IR planning reduces costs	$2.66M average savings	IBM 2024
Faster detection = lower cost	23% cost reduction	IBM 2024
Tested plans perform better	50% faster containment	Ponemon Institute
Tabletops identify gaps	60% of orgs find issues	SANS IR Survey

SBK Success Metrics¶

Metric	Target	Measurement
Plan completeness	100% NIST coverage	Plan review
Exercise satisfaction	4.5+/5.0	Participant survey
Active IR resolution	<7 days avg	Case tracking
Client notification compliance	100%	Case outcomes

Regulatory References¶

NIST SP 800-61 - Incident Handling Guide
HIPAA Breach Notification Rule
CCPA - California Consumer Privacy Act
GDPR Article 33/34 - Breach Notification
SEC Cybersecurity Rules

Last Updated: February 2026 Version: 1.0