Incident Response Plan

Security Incident Response Plan

Framework for detecting, containing, and recovering from security breaches with GDPR compliance tracking.

Incident Classification & Response

Critical
0-1 hour
Activate Crisis Team
High
1-4 hours
Notify Exec Team
Medium
4-8 hours
Team Coordination
Low
24 hours
Standard Process

GDPR Notification Timeline

72-hour notification requirement to DPA (Data Protection Authority) for high-risk breaches.

Time Until DPA Notification (72h)
72h 00m
Set detection time to activate
Regulatory Status
pending
High-risk breach requires notification
1
Detection
0-2 hours

Initial identification and confirmation of security incident.

Actions Checklist

  • Confirm incident through multiple monitoring channels (SIEM, alerts, user reports)
  • Document initial findings (date, time, systems affected, indicators of compromise)
  • Activate incident response team
  • Determine initial severity classification
  • Preserve evidence (logs, memory dumps, screenshots)
2
Containment
2-6 hours

Stop spread of incident and protect unaffected systems.

Actions Checklist

  • Isolate affected systems from network (if safe to do so)
  • Disable compromised user accounts and API keys
  • Reset credentials for privileged accounts
  • Block malicious IP addresses / domains at firewall
  • Revoke active sessions and connections
  • Notify infrastructure / operations team
  • Prepare rollback / contingency plan
3
Eradication
6-24 hours

Remove root cause of incident and prevent reinfection.

Actions Checklist

  • Analyze root cause (vulnerability, misconfiguration, social engineering)
  • Patch or remove malware/backdoors
  • Apply security patches to affected systems
  • Perform forensic analysis (disk imaging, log analysis)
  • Rebuild affected systems from clean state
  • Verify incident vector is closed
4
Recovery
1-3 days

Restore systems to full operation and verify functionality.

Actions Checklist

  • Restore systems from clean backups
  • Verify data integrity post-restoration
  • Test all critical services and functionality
  • Restore user access and validate authentication
  • Re-enable monitoring and alerting
  • Communicate service restoration to users
  • Monitor systems closely for signs of reinfection
5
Post-Mortem & Lessons Learned
1 week

Review incident, document findings, and implement preventive measures.

Actions Checklist

  • Schedule post-mortem meeting (within 3-5 days)
  • Gather full timeline and supporting evidence
  • Document what went well and what could improve
  • Identify action items and assign owners
  • Update security policies and incident procedures
  • Implement preventive security measures
  • Conduct security training if needed
  • Archive all incident documentation

Evidence Preservation Checklist

Critical for forensics and legal compliance (preserve chain of custody).

  • Isolate affected systems without modifying data
  • Create forensic images of compromised disks (full bit-for-bit copy)
  • Preserve memory dumps and volatile data before shutdown
  • Collect all relevant logs (auth, application, network, firewall)
  • Document all manual actions taken during response
  • Maintain chain of custody for all evidence
  • Store evidence in secure, controlled location
  • Consider legal hold to prevent data deletion

Communication Templates

Internal Notification (Team)

SUBJECT: Security Incident - [TYPE] - [TIME] Hi Team, We have identified a security incident affecting [SYSTEM/SERVICE]. Details: TIME: [DETECTION TIME] IMPACT: [DESCRIPTION OF IMPACT] STATUS: [CURRENT STATUS] NEXT STEPS: [ACTION BEING TAKEN] For questions, contact: [INCIDENT LEAD] [COMPANY] Security Team

DPA Notification (72-hour)

RECIPIENT: [DPA EMAIL] Subject: Data Breach Notification - Article 33 GDPR Dear [DPA NAME], We are notifying you of a personal data breach affecting [NUMBER] data subjects. DATE: [DETECTION DATE] TYPE OF BREACH: [DESCRIPTION] DATA CATEGORIES: [PII, EMAIL, PAYMENT, etc.] INDIVIDUALS AFFECTED: [NUMBER] MEASURES TAKEN: [ACTIONS] CONTACT: [COMPANY CONTACT] Detailed assessment attached. Sincerely, [COMPANY] Data Protection Officer

Customer Notification

SUBJECT: Security Incident - Important Information Dear Customer, On [DATE], we identified a security incident affecting your account. We wanted to inform you immediately. WHAT HAPPENED: [DESCRIPTION] YOUR DATA: [WHAT WAS POTENTIALLY EXPOSED] WHAT WE'RE DOING: [REMEDIATION STEPS] YOUR ACTIONS: [RECOMMENDATIONS] SUPPORT: [CONTACT INFO] We take your security seriously. Sincerely, [COMPANY] Security Team

Media / Public Statement

On [DATE], [COMPANY] identified and contained a security incident affecting [SCOPE]. FACTS: - [FACT 1] - [FACT 2] - [FACT 3] RESPONSE: - [ACTION 1] - [ACTION 2] - [ACTION 3] ONGOING: We continue to work with security experts. Customer privacy is our priority. Contact: [MEDIA CONTACT]

Incident Timeline

Detection
Incident identified through monitoring