Incident Response Planning SOP¶
Sub-procedure of incident-response-sop.md
Overview¶
Detailed procedures for developing comprehensive incident response plans, including IR team structure, communication protocols, regulatory requirements, and playbook development. This sub-procedure covers the IR Plan Development service offering.
Scope¶
Parent SOP: Incident Response Pillar: Protect (Security & Compliance) Service Area: Incident Response Plan Development
Prerequisites¶
- Parent SOP requirements met
- Executive sponsor identified and committed
- Key stakeholders available for interviews
- Current IR documentation gathered (if any exists)
- Compliance requirements identified (HIPAA, PCI, etc.)
- Legal counsel access confirmed
- Insurance carrier requirements known
Procedure¶
Step 1: Current State Assessment¶
Objective: Understand existing IR capabilities and gaps
Assessment Areas:
| Area | Assessment Focus | Evidence to Collect |
|---|---|---|
| Documentation | Existing IR plan, playbooks, procedures | Current documents |
| Team Structure | IR roles, responsibilities, availability | Org chart, contact list |
| Communication | Notification procedures, escalation paths | Communication plans |
| Detection | Monitoring capabilities, alert sources | SIEM config, alert rules |
| Response | Containment and eradication capabilities | Tools, procedures |
| Recovery | Backup, DR, business continuity | DR plans, backup reports |
| Regulatory | Compliance notification requirements | Regulatory analysis |
| Legal | Outside counsel, privilege procedures | Legal contacts, policies |
| Insurance | Cyber liability coverage, carrier requirements | Policy details |
Stakeholder Interviews:
| Stakeholder | Interview Topics | Duration |
|---|---|---|
| Executive Sponsor | Risk tolerance, resource commitment, decision authority | 60 min |
| IT/Security Leadership | Technical capabilities, detection, response tools | 90 min |
| Legal Counsel | Legal considerations, privilege, notification requirements | 60 min |
| Communications/PR | Crisis communications, media relations | 45 min |
| HR | Employee-related incidents, insider threats | 45 min |
| Business Unit Leaders | Business impact, critical processes, recovery priorities | 45 min |
Gap Analysis Matrix:
| IR Capability | Current State | Target State | Gap |
|---|---|---|---|
| IR Plan Documentation | |||
| IR Team Structure | |||
| Detection Capabilities | |||
| Containment Procedures | |||
| Recovery Procedures | |||
| Communication Plan | |||
| Regulatory Compliance | |||
| Tabletop Testing |
Step 2: IR Plan Framework Development¶
Objective: Establish IR plan structure aligned with NIST framework
NIST IR Framework Phases:
Plan Section Structure:
| Section | Content | Owner |
|---|---|---|
| Purpose and Scope | Plan objectives, applicability, limitations | SBK |
| Roles and Responsibilities | IR team structure, RACI matrix | SBK + Client |
| Incident Classification | Severity levels, categorization criteria | SBK |
| Preparation | Readiness activities, tools, training | SBK |
| Detection and Analysis | Detection sources, analysis procedures | SBK + IT |
| Containment | Containment strategies by incident type | SBK + IT |
| Eradication | Removal procedures, validation | SBK + IT |
| Recovery | Restoration procedures, verification | SBK + IT |
| Post-Incident | Documentation, lessons learned, reporting | SBK |
| Communication | Internal and external communication plans | SBK + Comms |
| Regulatory Requirements | Notification timelines, authorities | SBK + Legal |
| Contact Lists | Internal and external contacts | Client |
| Appendices | Playbooks, checklists, templates | SBK |
Step 3: IR Team Structure Definition¶
Objective: Establish IR team roles and responsibilities
Core IR Team Roles:
| Role | Responsibilities | Typical Title |
|---|---|---|
| IR Lead | Overall incident coordination, decision making | CISO, IT Director |
| Technical Lead | Technical investigation, containment, eradication | Security Engineer, IT Manager |
| Communications Lead | Internal/external communications, media | PR Director, Comms Manager |
| Legal Lead | Legal guidance, privilege, regulatory | General Counsel, Outside Counsel |
| Business Lead | Business impact assessment, recovery priorities | COO, Business Unit Head |
| HR Lead | Employee-related issues, insider incidents | HR Director |
| Executive Sponsor | Final authority, resource allocation | CEO, CFO |
Extended IR Team:
| Role | When Engaged | Responsibilities |
|---|---|---|
| Forensics Specialist | Evidence collection needed | Digital forensics, chain of custody |
| External Counsel | Legal exposure identified | Legal strategy, privilege |
| Public Relations | Media attention anticipated | Crisis communications, media relations |
| Law Enforcement | Criminal activity, required by regulation | Reporting, coordination |
| Insurance Carrier | Significant incident, coverage claim | Coverage, resources, guidance |
| Third-Party IR | Major incident, capacity constraints | Surge support, specialized skills |
RACI Matrix Template:
| Activity | IR Lead | Tech Lead | Comms | Legal | Business | HR | Exec |
|---|---|---|---|---|---|---|---|
| Incident Triage | A | R | I | I | I | I | I |
| Severity Classification | A | R | I | C | C | I | I |
| Containment Decision | A | R | I | C | C | I | C |
| Internal Communication | A | C | R | C | I | C | I |
| External Communication | A | I | R | R | C | I | A |
| Regulatory Notification | A | C | I | R | I | I | A |
| Recovery Prioritization | C | C | I | I | R | I | A |
R=Responsible, A=Accountable, C=Consulted, I=Informed
Step 4: Incident Classification Development¶
Objective: Define incident severity levels and response triggers
Severity Classification:
| Severity | Definition | Response Time | Escalation |
|---|---|---|---|
| Critical (1) | Active breach, ransomware, significant data exposure, major business impact | Immediate | Executive, Legal, Board |
| High (2) | Compromised systems, potential data exposure, moderate business impact | 4 hours | CISO, IT Leadership, Legal |
| Medium (3) | Contained malware, suspicious activity, limited impact | 24 hours | Security Team, IT Management |
| Low (4) | Policy violations, minor events, no confirmed compromise | 72 hours | IT Support, Security Analyst |
Incident Categories:
| Category | Examples | Typical Severity |
|---|---|---|
| Malware | Ransomware, trojans, worms, viruses | High-Critical |
| Unauthorized Access | Account compromise, privilege escalation | Medium-Critical |
| Data Breach | Exfiltration, exposure, loss | High-Critical |
| Denial of Service | DDoS, resource exhaustion | Medium-High |
| Insider Threat | Data theft, sabotage, fraud | Medium-Critical |
| Physical | Theft, unauthorized entry | Medium-High |
| Social Engineering | Phishing, pretexting, BEC | Medium-High |
Severity Escalation Triggers:
| Trigger | Action |
|---|---|
| PII/PHI/PCI data confirmed exposed | Escalate to Critical, engage Legal |
| Ransomware detected | Escalate to Critical, isolate affected systems |
| Multiple systems compromised | Escalate to High minimum |
| Business operations impacted | Escalate based on impact duration |
| Media inquiry received | Engage Communications, escalate to Executive |
| Regulatory inquiry | Engage Legal, escalate to Executive |
Step 5: Communication Plan Development¶
Objective: Establish internal and external communication procedures
Internal Communication Matrix:
| Audience | When Notified | Communication Method | Content |
|---|---|---|---|
| IR Team | All incidents | Phone/SMS | Incident details, response needed |
| IT Staff | Relevant incidents | Email/Phone | Technical details, actions required |
| Executive Team | High/Critical | Phone, then email | Impact summary, decisions needed |
| Board | Critical | Phone from CEO | Major incident notification |
| All Employees | As needed | General awareness, instructions | |
| Affected Departments | As relevant | Direct communication | Specific impact, guidance |
External Communication Matrix:
| Audience | When Required | Approval Required | Template Needed |
|---|---|---|---|
| Customers | Data affecting them | Legal, Executive | Yes |
| Regulators | Per regulatory requirement | Legal, Executive | Yes |
| Law Enforcement | Criminal activity, legal requirement | Legal | No |
| Media | Media inquiry | Communications, Legal, Executive | Yes |
| Business Partners | If they are affected | Legal, Executive | Yes |
| Insurance Carrier | Significant incident | Legal, Executive | No |
Communication Templates Required:
| Template | Purpose | Owner |
|---|---|---|
| Initial Internal Alert | Notify IR team of incident | IR Lead |
| Executive Briefing | Update executives on incident | IR Lead |
| Employee Notification | Inform staff of incident/precautions | Communications |
| Customer Notification | Notify affected customers | Communications + Legal |
| Regulatory Notification | Meet regulatory requirements | Legal |
| Media Statement | Official statement for press | Communications + Legal |
| Post-Incident Summary | Internal lessons learned | IR Lead |
Step 6: Regulatory Requirements Integration¶
Objective: Incorporate compliance notification requirements
Regulatory Notification Matrix:
| Framework | Trigger | Timeline | Authority | Notes |
|---|---|---|---|---|
| HIPAA | Unsecured PHI | 60 days individuals, 60 days HHS | HHS OCR | 500+ individuals: media notice |
| State Breach Laws | PII exposure | 30-90 days (varies by state) | State AG | Check each state of residence |
| CCPA | CA resident PII | Without unreasonable delay | CA AG | Right to know what was exposed |
| GDPR | EU data subject | 72 hours to DPA | Supervisory Authority | Individual notice if high risk |
| PCI DSS | Cardholder data | Immediately to acquirer | Card brands | Forensic investigation required |
| SEC | Material breach | 4 business days | SEC | 8-K filing required |
| NYDFS | Cybersecurity event | 72 hours | NYDFS | Licensed financial services |
| CMMC/DFARS | DoD CUI | 72 hours | DoD DC3 | DIB contractors |
Notification Decision Framework:
- Identify data types involved
- Determine applicable regulations
- Assess notification triggers
- Engage legal counsel for determination
- Prepare notification content
- Execute notifications per timeline
- Document all notifications
Deliverables¶
| Deliverable | Format | Owner |
|---|---|---|
| Current State Assessment | Report | SBK Consultant |
| IR Plan Document | Word/PDF | SBK Consultant |
| RACI Matrix | Excel | SBK Consultant |
| Incident Classification Guide | SBK Consultant | |
| Communication Templates | Word | SBK + Client Comms |
| Contact List Template | Excel | Client |
| Regulatory Notification Guide | SBK + Legal | |
| IR Plan Training Materials | Slides | SBK |
Quality Gates¶
- All key stakeholders interviewed
- Current state gaps documented
- IR team roles and responsibilities defined
- RACI matrix approved by stakeholders
- Incident classification aligned with risk tolerance
- Communication plan reviewed by Legal
- Regulatory requirements mapped and documented
- Communication templates drafted
- IR Plan reviewed by Executive Sponsor
- Legal review completed
- Final approval obtained
Related Documents¶
Last Updated: February 2026 Parent SOP: incident-response-sop.md