1. Purpose
[Company Legal Name] ("Company") detects, contains, and recovers from security incidents in a structured, repeatable way to protect customer data, meet contractual and regulatory obligations, and continuously improve. This plan supports SOC 2 CC7.3 (incident handling) and CC7.4 (incident response and recovery), and is aligned to NIST SP 800-61 r2.
2. Scope and Definitions
This plan covers any event that compromises or threatens the confidentiality, integrity, or availability of Company information assets, customer data, or production services. An "Event" is an observable occurrence; a "Security Incident" is an Event with confirmed or suspected adverse impact.
3. Severity Matrix
Incidents are classified at first triage and reclassified as facts emerge:
- SEV-1 (Critical) — Confirmed breach of customer data, full production outage, or active intrusion. Examples: ransomware, mass data exfiltration. Engages exec team and counsel; engages IR retainer
- SEV-2 (High) — Significant impact to one customer, contained intrusion, or single-tenant outage. Engages full IR team
- SEV-3 (Medium) — Single-user compromise, suspicious activity requiring investigation, vulnerability with no confirmed exploitation
- SEV-4 (Low) — Routine alert (failed phishing, blocked malware) — closed by security on-call
4. Incident Response Team
- IR Commander: Security on-call lead; runs the incident
- Tech Lead: Senior engineer for the affected system
- Comms Lead: Designated customer + regulator communication owner
- Legal: Counsel for regulator / disclosure decisions
- Executive Sponsor: CTO or CEO; convened for SEV-1 and SEV-2
- Scribe: Maintains the incident timeline in the IR channel
5. Phase 1 — Preparation
- Quarterly on-call rotation published; backup on-call always identified
- IR runbooks maintained for top scenarios (ransomware, credential leak, cloud-account compromise, third-party breach)
- External IR retainer and forensic firm pre-engaged with executed MSA + NDA
- Annual tabletop exercise (see Section 11) with executive participation
6. Phase 2 — Detection and Analysis
- Detection sources: SIEM alerts, EDR alerts, customer report, third-party notification, employee report (security@[company-domain])
- On-call acknowledges any SEV-3+ alert within fifteen (15) minutes
- Within one (1) hour: severity classified, IR channel opened, scribe assigned, initial scope documented
- Within four (4) hours of SEV-1/2: executive sponsor briefed; legal counsel engaged
7. Phase 3 — Containment, Eradication, Recovery
- Short-term containment (isolate hosts, revoke credentials, block IOCs) prioritised over evidence-gathering for active threats
- Forensic image / log snapshot captured before destructive eradication where feasible
- Eradication: remove backdoors, rotate all credentials in blast radius, patch root cause
- Recovery: restore from clean backup; monitor closely for re-infection over the following seven (7) days
8. Customer Notification
For any incident materially impacting customer data or service availability, Comms Lead notifies affected customers within the timeline specified in the Master Services Agreement and no later than seventy-two (72) hours after confirmation of impact, whichever is sooner. Notification includes nature of incident, data categories affected, actions taken, and recommended customer-side steps.
9. Regulator and Authority Notification
- GDPR (where Company is Controller): notify lead Supervisory Authority within 72 hours of awareness (Art. 33) and affected data subjects without undue delay where high-risk (Art. 34)
- HIPAA (where Company is Covered Entity): notify HHS and affected individuals within 60 calendar days of discovery (45 CFR §164.404)
- SEC (if material to a public Company): file Form 8-K Item 1.05 within four (4) business days of determining materiality
- State Attorneys General and consumer notification per applicable state breach-notification statutes
- Where Company is a Processor / Business Associate: notify upstream Controller per the executed DPA / BAA
10. Evidence Preservation
Logs, system images, memory snapshots, and IR channel transcripts are preserved for at least one (1) year, and longer if litigation hold applies. Chain-of-custody is documented for any artifact handed to external forensic firm or law enforcement.
11. Tabletop Exercises
Company conducts at least one tabletop exercise per year, exercising a SEV-1 scenario with executive sponsor, IR Commander, Comms Lead, and Legal. Results, gaps, and remediation actions are documented and tracked to closure. Evidence retained for SOC 2 audit sample.
12. Post-Incident Review
Within ten (10) business days of incident closure, IR Commander leads a blameless post-mortem covering: timeline, root cause, what worked, what failed, customer / regulator impact, and concrete remediation actions with owners and due dates. Remediation items are tracked in the Security Backlog until closed.
13. Review
This plan is reviewed at least annually and after any SEV-1 or SEV-2 incident or material environment change. Next review: [Annual Review Date].
Disclaimer: This template is provided for general informational purposes only and does not constitute legal advice. Customise to your specific facts and have counsel review before execution.