Incident Response Plan
IRP-001 · Version 2.0 · Internal
| Document ID: | IRP-001 |
| Version: | 2.0 |
| Effective Date: | January 15, 2026 |
| Owner: | IT Security Team |
| Approved By: | Chief Information Security Officer |
| Review Cycle: | Annual |
| Classification: | Internal |
Severity Classification
| Severity | Description | Response SLA | Escalation |
|---|---|---|---|
| S1 — Critical | Active breach, ransomware, confirmed data exfiltration | 1 hour | CISO + CEO within 4 hours |
| S2 — High | Suspected breach, significant system compromise | 4 hours | CISO within 8 hours |
| S3 — Medium | Malware detected, unauthorized access attempt, policy violation | 24 hours | IT Security Manager |
| S4 — Low | Phishing email, minor policy violation, suspicious activity | 72 hours | IT Security team |
Phase 1 — Detection & Triage
- Any employee who suspects a security incident must report it to the IT Security team via the Security Hotline within 1 hour of discovery.
- The on-call Security Analyst must acknowledge the report and create an incident ticket within 30 minutes of notification.
- The incident must be assigned a severity level (S1–S4) within 1 hour of the ticket being opened.
- For S1 and S2 incidents, the Incident Commander must be notified and must assume command of the response within 2 hours.
- Initial evidence collection (logs, screenshots, network captures) must begin immediately and no affected systems may be powered off or wiped without Incident Commander approval.
Phase 2 — Containment
- The Incident Commander must approve and document all containment actions before they are executed.
- Affected systems must be isolated from the network within the timeframe specified by the severity SLA.
- Compromised credentials must be disabled within 15 minutes of identification.
- All containment actions must be logged with timestamp, actor, and rationale in the incident ticket.
Phase 3 — Eradication
- Root cause analysis must be completed before any affected system is returned to production.
- All malware, unauthorized access points, and vulnerabilities identified during the incident must be remediated before eradication is declared complete.
- The CISO must sign off on eradication completion for all S1 and S2 incidents.
Phase 4 — Recovery
- Systems must be restored from clean, verified backups; recovery from potentially compromised backups requires CISO approval.
- All restored systems must pass a security scan before being returned to production.
- The business unit owner must sign off on system functionality before the incident is moved to Closed status.
- Enhanced monitoring must be maintained on recovered systems for a minimum of 30 days post-recovery.
Phase 5 — Post-Incident Review
A Post-Incident Review (PIR) must be completed within 5 business days of incident containment for all S1 and S2 incidents.
The PIR report must be distributed to the CISO, relevant department heads, and the Board Risk Committee within 3 days of completion.
All action items identified in the PIR must have an assigned owner and target completion date; progress must be reviewed monthly until closed.
Contact List
| Role | Name | Phone | |
|---|---|---|---|
| CISO | Marcus Webb | +1 (415) 555-0182 | m.webb@veridian-corp.com |
| Incident Commander | Priya Nair | +1 (415) 555-0194 | p.nair@veridian-corp.com |
| IT Security Manager | Carlos Reyes | +1 (415) 555-0207 | c.reyes@veridian-corp.com |
| Data Protection Officer | Lisa Kim | +1 (415) 555-0231 | l.kim@veridian-corp.com |
| Legal Counsel | David Osei | +1 (415) 555-0155 | d.osei@veridian-corp.com |
Regulatory Notification Matrix
| Incident Type | HIPAA (HHS OCR) | GDPR (Supervisory Authority) | FDA (MDR) | Timeline | Owner |
|---|---|---|---|---|---|
| PHI breach <500 individuals | Annual log | 72 hours if risk | N/A unless device-related | Per regulation | DPO |
| PHI breach ≥500 individuals | 60 days + media notice | 72 hours | Assess MDR reportability | 60 days / 72 hours | DPO + Legal |
| Device-related patient harm | If PHI involved | If EU data subjects | 30-day MDR (Form 3500A) | 30 days | Regulatory Affairs |
| Ransomware on PHI systems | Breach assessment required | 72 hours if personal data | Assess if device data affected | Immediate triage | CISO + DPO |
Cross-functional notification to Regulatory Affairs is mandatory within 24 hours for any incident involving FDA-regulated device data or manufacturing systems.
2025–2026 Incident Log (Summary)
| Incident ID | Date | Severity | Type | Systems Affected | Resolution Time | Regulatory Filing |
|---|---|---|---|---|---|---|
| INC-2025-047 | Oct 2025 | S3 | Phishing — credential harvest | 6 hours | None | |
| INC-2025-052 | Nov 2025 | S2 | Suspected data exfiltration attempt | CloudHealth API | 18 hours | HIPAA assessment — no breach |
| INC-2026-003 | Jan 2026 | S3 | Malware on contractor laptop | Contractor endpoint | 4 hours | None |
| INC-2026-008 | Mar 2026 | S4 | Policy violation — PHI in Slack | Slack | 2 hours | Internal remediation |