Incident Response Plan

IRP-001 · Version 2.0 · Internal

Document ID: IRP-001
Version: 2.0
Effective Date: January 15, 2026
Owner: IT Security Team
Approved By: Chief Information Security Officer
Review Cycle: Annual
Classification: Internal

Severity Classification

Severity Description Response SLA Escalation
S1 — Critical Active breach, ransomware, confirmed data exfiltration 1 hour CISO + CEO within 4 hours
S2 — High Suspected breach, significant system compromise 4 hours CISO within 8 hours
S3 — Medium Malware detected, unauthorized access attempt, policy violation 24 hours IT Security Manager
S4 — Low Phishing email, minor policy violation, suspicious activity 72 hours IT Security team

Phase 1 — Detection & Triage

  1. Any employee who suspects a security incident must report it to the IT Security team via the Security Hotline within 1 hour of discovery.
  2. The on-call Security Analyst must acknowledge the report and create an incident ticket within 30 minutes of notification.
  3. The incident must be assigned a severity level (S1–S4) within 1 hour of the ticket being opened.
  4. For S1 and S2 incidents, the Incident Commander must be notified and must assume command of the response within 2 hours.
  5. Initial evidence collection (logs, screenshots, network captures) must begin immediately and no affected systems may be powered off or wiped without Incident Commander approval.

Phase 2 — Containment

  1. The Incident Commander must approve and document all containment actions before they are executed.
  2. Affected systems must be isolated from the network within the timeframe specified by the severity SLA.
  3. Compromised credentials must be disabled within 15 minutes of identification.
  4. All containment actions must be logged with timestamp, actor, and rationale in the incident ticket.

Phase 3 — Eradication

  1. Root cause analysis must be completed before any affected system is returned to production.
  2. All malware, unauthorized access points, and vulnerabilities identified during the incident must be remediated before eradication is declared complete.
  3. The CISO must sign off on eradication completion for all S1 and S2 incidents.

Phase 4 — Recovery

  1. Systems must be restored from clean, verified backups; recovery from potentially compromised backups requires CISO approval.
  2. All restored systems must pass a security scan before being returned to production.
  3. The business unit owner must sign off on system functionality before the incident is moved to Closed status.
  4. Enhanced monitoring must be maintained on recovered systems for a minimum of 30 days post-recovery.

Phase 5 — Post-Incident Review

A Post-Incident Review (PIR) must be completed within 5 business days of incident containment for all S1 and S2 incidents.

The PIR report must be distributed to the CISO, relevant department heads, and the Board Risk Committee within 3 days of completion.

All action items identified in the PIR must have an assigned owner and target completion date; progress must be reviewed monthly until closed.

Contact List

Role Name Phone Email
CISO Marcus Webb +1 (415) 555-0182 m.webb@veridian-corp.com
Incident Commander Priya Nair +1 (415) 555-0194 p.nair@veridian-corp.com
IT Security Manager Carlos Reyes +1 (415) 555-0207 c.reyes@veridian-corp.com
Data Protection Officer Lisa Kim +1 (415) 555-0231 l.kim@veridian-corp.com
Legal Counsel David Osei +1 (415) 555-0155 d.osei@veridian-corp.com

Regulatory Notification Matrix

Incident TypeHIPAA (HHS OCR)GDPR (Supervisory Authority)FDA (MDR)TimelineOwner
PHI breach <500 individualsAnnual log72 hours if riskN/A unless device-relatedPer regulationDPO
PHI breach ≥500 individuals60 days + media notice72 hoursAssess MDR reportability60 days / 72 hoursDPO + Legal
Device-related patient harmIf PHI involvedIf EU data subjects30-day MDR (Form 3500A)30 daysRegulatory Affairs
Ransomware on PHI systemsBreach assessment required72 hours if personal dataAssess if device data affectedImmediate triageCISO + DPO

Cross-functional notification to Regulatory Affairs is mandatory within 24 hours for any incident involving FDA-regulated device data or manufacturing systems.

2025–2026 Incident Log (Summary)

Incident IDDateSeverityTypeSystems AffectedResolution TimeRegulatory Filing
INC-2025-047Oct 2025S3Phishing — credential harvestEmail6 hoursNone
INC-2025-052Nov 2025S2Suspected data exfiltration attemptCloudHealth API18 hoursHIPAA assessment — no breach
INC-2026-003Jan 2026S3Malware on contractor laptopContractor endpoint4 hoursNone
INC-2026-008Mar 2026S4Policy violation — PHI in SlackSlack2 hoursInternal remediation