Incident Response Playbook¶
Acme Corp Tactical Response Procedures
Version: 1.0 Date: November 11, 2025 Classification: Internal - Confidential Distribution: Incident Response Team, IT Security, IT Operations, Management
Purpose¶
This Incident Response Playbook provides tactical, step-by-step procedures for responding to security incidents. It translates the Incident Response Policy (SEC-004) into actionable response procedures, decision trees, and communication templates.
Policy Reference: SEC-004: Incident Response and Reporting Policy
When to Use This Playbook: - Security breach or suspected breach - Malware infection or ransomware attack - Unauthorized access to systems or data - Data breach or potential PHI exposure - Denial of service or system outage - Insider threat or policy violation - Lost or stolen devices containing sensitive data - Phishing attack or social engineering - Any other security incident
Table of Contents¶
- Quick Reference
- Incident Classification and Severity
- Incident Response Team
- Phase 1: Detection and Reporting
- Phase 2: Initial Response and Triage
- Phase 3: Containment
- Phase 4: Eradication
- Phase 5: Recovery
- Phase 6: Post-Incident Activities
- Incident-Specific Playbooks
- Communication Templates
- Contact Lists
Quick Reference¶
Immediate Actions (First 15 Minutes)¶
If you discover or suspect a security incident:
- DO NOT panic or make hasty decisions
- DO NOT shut down systems unless instructed (may destroy evidence)
- IMMEDIATELY REPORT the incident:
- Email: security@acmecorp.com
- Phone: IT Helpdesk (555) 123-4567
- Slack: #security-incidents channel
- Internal incident reporting system
- PRESERVE EVIDENCE: Take screenshots, note times, save logs
- DOCUMENT everything: Who, what, when, where, why, how
- WAIT for IR team instructions before taking additional action
Critical Contact Information¶
Emergency Contacts: - Incident Response Lead: John Smith - (555) 123-4567 - hr@acmecorp.com - CISO: John Smith - (555) 123-4567 - hr@acmecorp.com - CTO: John Smith - (555) 123-4567 - hr@acmecorp.com - IT Security On-Call: (555) 123-4567 - After-Hours Escalation: (555) 123-4567
External Contacts: - Legal Counsel: John Smith - (555) 123-4567 - hr@acmecorp.com - Cyber Insurance: Fidelity Investments - (555) 123-4567 - POL-2025-001 - Forensics Firm: Mandiant - (555) 123-4567 - Law Enforcement (if needed): FBI Cyber Division (555) 123-4567
Incident Severity Quick Reference¶
| Severity | Examples | Response Time | Escalation |
|---|---|---|---|
| P1 - Critical | Active data breach, ransomware, PHI exposure | 15 minutes | CISO, CTO, CEO |
| P2 - High | Major vulnerability, significant data loss, service degradation | 1 hour | CISO, CTO |
| P3 - Medium | Minor security incident, limited exposure, isolated issue | 4 hours | IT Security Manager |
| P4 - Low | Suspected incident, policy violation, potential vulnerability | 1 business day | IT Security Team |
Incident Classification and Severity¶
Severity Levels (Policy Reference: SEC-004)¶
P1 - Critical¶
Definition: Major incident with significant impact to systems, data, or operations
Examples: - Active data breach with confirmed unauthorized access - Ransomware infection affecting multiple systems - Protected Health Information (PHI) or PII exposure - Complete system outage affecting business operations - Successful cyberattack with data exfiltration - Insider threat with malicious intent - Major vulnerability being actively exploited
Response Requirements: - Report within: 15 minutes of discovery - Incident Response Team: Full team activation - Escalation: CISO, CTO, CEO, Legal - Communication: Immediate stakeholder notification - After-Hours: Immediately contact on-call team
P2 - High¶
Definition: Significant security incident requiring urgent attention
Examples: - Significant security vulnerability requiring immediate patching - Partial data loss or corruption - Major service degradation - Attempted breach with evidence of reconnaissance - Compromised administrative account - DDoS attack affecting services - Multiple malware infections
Response Requirements: - Report within: 1 hour of discovery - Incident Response Team: Core team activation - Escalation: CISO, CTO - Communication: Management notification within 2 hours - After-Hours: Contact on-call if business-impacting
P3 - Medium¶
Definition: Minor security incident with limited impact
Examples: - Minor security incident contained to single user/system - Limited data exposure (non-sensitive) - Isolated system issue or malfunction - Failed phishing attempt reported - Policy violation (non-malicious) - Suspected but unconfirmed security event
Response Requirements: - Report within: 4 hours of discovery - Incident Response Team: Security team investigation - Escalation: IT Security Manager - Communication: Daily status updates - After-Hours: Can wait until next business day
P4 - Low¶
Definition: Suspected incident or informational event
Examples: - Potential vulnerability requiring assessment - Unusual but explained activity - Security question or concern - Low-severity policy violation - Informational security events
Response Requirements: - Report within: 1 business day - Incident Response Team: Assigned security analyst - Escalation: As needed based on findings - Communication: Weekly summary report - After-Hours: Document and address next business day
Incident Response Team¶
Core Team Roles and Responsibilities¶
| Role | Responsibilities | Primary Contact | Backup Contact |
|---|---|---|---|
| Incident Commander | Overall incident coordination and decision-making | John Smith - (555) 123-4567 | John Smith - (555) 123-4567 |
| CISO / Security Lead | Security expertise, threat analysis, containment strategy | John Smith - (555) 123-4567 | John Smith - (555) 123-4567 |
| IT Operations Lead | System access, infrastructure, technical implementation | John Smith - (555) 123-4567 | John Smith - (555) 123-4567 |
| Communications Lead | Internal and external communications | John Smith - (555) 123-4567 | John Smith - (555) 123-4567 |
| Legal Counsel | Legal implications, regulatory requirements, law enforcement | John Smith - (555) 123-4567 | John Smith - (555) 123-4567 |
| HR Representative | Employee-related incidents, policy violations | John Smith - (555) 123-4567 | John Smith - (555) 123-4567 |
| Scribe / Documentation | Document all activities, decisions, and timelines | John Smith - (555) 123-4567 | John Smith - (555) 123-4567 |
Team Activation Process¶
P1 - Critical Incidents: 1. First responder calls Incident Commander 2. Incident Commander activates full team via: - Emergency contact list (phone calls) - #incident-response Slack channel - Incident response platform 3. Team assembles in [WAR ROOM / VIRTUAL MEETING] 4. Incident Commander conducts initial briefing
P2 - High Incidents: 1. Security team member notifies CISO and IT Operations Lead 2. Core team activated as needed 3. Team coordination via Slack and scheduled calls
P3/P4 - Medium/Low Incidents: 1. Assigned to security analyst 2. Escalate to broader team if severity increases
Phase 1: Detection and Reporting¶
Detection Methods¶
Incidents may be detected through: - Automated monitoring alerts (SIEM, IDS/IPS, endpoint security) - User reports (employees reporting suspicious activity) - Security tool notifications (antivirus, DLP, firewall alerts) - External notifications (vendors, partners, customers, security researchers) - Security audits or reviews
Reporting Procedure¶
Step 1: Recognize the Incident
If you observe any of the following, report immediately: - Unexpected system behavior or errors - Suspicious emails or phishing attempts - Unauthorized access or login attempts - Missing or modified data - Malware or antivirus alerts - Unusually slow system performance - Unexpected network activity - Lost or stolen devices - Accidental disclosure of sensitive data
Step 2: Report the Incident
During Business Hours: - Email: security@acmecorp.com - Phone: IT Helpdesk (555) 123-4567 - Slack: #security-incidents channel - Online: https://incidents.acmecorp.com
After Hours (P1/P2 only): - On-Call Security: (555) 123-4567 - Incident Commander: (555) 123-4567 - CISO: (555) 123-4567
Step 3: Provide Information
When reporting, include: - Who: Your name and contact information - What: Description of the incident (what happened?) - When: Date and time of incident discovery - Where: Affected systems, applications, locations - How: How was the incident discovered? - Impact: Suspected impact (data, systems, users affected) - Evidence: Screenshots, error messages, logs
Step 4: Preserve Evidence
DO: - Take screenshots of error messages or suspicious activity - Note exact times and dates - Save relevant emails or messages - Document who you've told about the incident - Leave systems running unless instructed otherwise
DO NOT: - Delete files or emails - Shut down systems (may destroy evidence) - Attempt to "fix" the problem yourself - Discuss the incident publicly or on social media - Access systems you don't normally use to "investigate"
Phase 2: Initial Response and Triage¶
Timeline: First 30 minutes after report Responsible: Incident Response Team
Step 1: Acknowledge and Log Incident (0-5 minutes)¶
☐ Log incident in tracking system (Jira, ServiceNow, etc.) - Assign incident ticket number - Record reporter information - Document initial description
☐ Acknowledge receipt to reporter - Confirm incident received - Provide ticket number - Set expectation for next update
☐ Notify Incident Response Team - Alert appropriate team members based on severity - Provide initial details - Schedule initial response call if P1/P2
Step 2: Initial Assessment (5-15 minutes)¶
☐ Gather additional information: - Interview the reporter (if available) - Review relevant logs and alerts - Check monitoring systems for related events - Identify affected systems, users, and data
☐ Determine scope: - How many systems/users affected? - What data is involved? - Is the incident ongoing or contained? - When did it start?
☐ Assess impact: - Data confidentiality, integrity, or availability affected? - Business operations impacted? - Compliance implications (HIPAA, PII, etc.)? - Customer impact?
Step 3: Classify and Prioritize (15-20 minutes)¶
☐ Assign severity level (P1, P2, P3, P4) - Use severity matrix above - Document classification rationale
☐ Identify attack vector (if applicable): - Phishing/social engineering - Malware/ransomware - Unauthorized access - Misconfiguration - Insider threat - Physical security - Unknown
☐ Determine if incident is confirmed or suspected - Confirmed: Evidence of actual incident - Suspected: Anomalous activity requiring investigation
Step 4: Escalate and Mobilize (20-30 minutes)¶
☐ Escalate to appropriate stakeholders: - P1: CISO, CTO, CEO, Legal, Incident Commander - P2: CISO, CTO, Incident Commander - P3: IT Security Manager - P4: Assigned security analyst
☐ Activate Incident Response Team (for P1/P2): - Send activation notification - Schedule emergency response call/meeting - Assemble in war room or virtual meeting - Brief team on situation
☐ Assign roles: - Incident Commander - Lead investigator - Technical responders - Scribe/documentation - Communications lead
☐ Begin timeline documentation: - Start incident timeline spreadsheet/document - Record all actions taken - Document all decisions made - Track key timestamps
Phase 3: Containment¶
Objective: Stop the incident from spreading and limit damage
Timeline: Immediate (within 1-2 hours for P1/P2) Responsible: IT Security Team, IT Operations
Short-Term Containment (Immediate Actions)¶
☐ Isolate affected systems: - Disconnect from network (if safe to do so) - Disable user accounts involved - Block malicious IP addresses/domains at firewall - Disable compromised services or applications - Revoke VPN access if remote user involved
☐ Prevent lateral movement: - Monitor for spread to other systems - Segment network if necessary - Disable file sharing or remote access - Increase monitoring on critical systems
☐ Preserve evidence: - Take system snapshots/images before making changes - Collect and preserve logs - Document system state (running processes, network connections) - Collect memory dumps if appropriate - Photograph or screenshot evidence - Maintain chain of custody log
☐ Protect critical assets: - Secure backups (ensure they're clean and isolated) - Increase monitoring on crown jewel systems - Implement additional access controls temporarily - Enable enhanced logging if not already active
Long-Term Containment (Sustained Response)¶
☐ Implement temporary fixes: - Apply emergency patches - Implement workarounds for affected systems - Deploy additional security controls - Enhance monitoring and alerting
☐ Rebuild or restore if necessary: - Prepare clean replacement systems - Restore from verified clean backups - Test restored systems before production - Migrate users to clean systems
☐ Maintain business operations: - Implement business continuity procedures - Activate backup systems if needed - Communicate outage or service impacts - Provide workarounds to users
Containment Decision Tree¶
Is the incident ongoing?
├─ YES → Immediate containment required
│ ├─ Can we isolate without business disruption?
│ │ ├─ YES → Isolate immediately
│ │ └─ NO → Consult Incident Commander and business leadership
│ └─ Is malware spreading?
│ ├─ YES → Isolate infected systems, scan network
│ └─ NO → Monitor and contain at source
│
└─ NO → Incident contained or historical
└─ Proceed to investigation and eradication
Phase 4: Eradication¶
Objective: Remove the threat and eliminate root cause
Timeline: Hours to days (depending on incident complexity) Responsible: IT Security Team, IT Operations
Step 1: Identify Root Cause¶
☐ Conduct thorough investigation: - Analyze logs and evidence collected - Determine initial attack vector - Identify vulnerabilities exploited - Trace attacker activities - Determine extent of compromise
☐ Answer key questions: - How did the attacker gain access? - What vulnerabilities were exploited? - What was the attacker's objective? - What data or systems were accessed? - Are there other compromised systems? - Is the threat still present?
Step 2: Remove Threat¶
☐ Eliminate malware: - Run full antivirus/EDR scans on affected systems - Manually remove malicious files or scripts - Check for persistence mechanisms (startup items, scheduled tasks) - Remove rootkits or kernel-level malware - Verify complete removal with secondary scanning tools
☐ Remove unauthorized access: - Delete attacker user accounts - Remove backdoors or remote access tools - Remove web shells or implants - Delete unauthorized SSH keys or credentials - Remove rogue applications or services
☐ Close vulnerability: - Patch exploited vulnerability - Fix misconfiguration - Remove unnecessary services or features - Update security rules and policies - Harden affected systems
Step 3: Validate Eradication¶
☐ Verify threat is eliminated: - Re-scan systems with multiple tools - Review logs for suspicious activity - Check for indicators of compromise (IOCs) - Monitor for reinfection or re-exploitation - Conduct penetration testing if appropriate
☐ Document eradication actions: - Record all actions taken - Document tools and techniques used - Capture evidence of successful removal - Update incident timeline
Phase 5: Recovery¶
Objective: Restore systems to normal operation and verify integrity
Timeline: Hours to days Responsible: IT Operations, IT Security
Step 1: Restore Systems¶
☐ Rebuild compromised systems: - Reinstall operating system from trusted source - Apply all security patches and updates - Reinstall applications from trusted sources - Restore data from clean backups (verify backups are not infected) - Reconfigure security settings - Harden systems per security baseline
☐ Reset credentials: - Force password resets for affected accounts - Rotate API keys and service account credentials - Regenerate SSH keys - Update shared secrets (database passwords, etc.) - Verify MFA is enabled and working
☐ Restore access: - Re-enable user accounts (after password reset) - Re-provision access based on current needs - Remove temporary restrictions - Update access control lists
Step 2: Verify System Integrity¶
☐ Test functionality: - Verify all services are operational - Test critical business functions - Confirm data integrity - Validate backups are working - Test security controls
☐ Security verification: - Run vulnerability scans - Verify patches are applied - Confirm security controls are functional - Validate monitoring and alerting - Check for any remaining IOCs
Step 3: Gradual Restoration to Production¶
☐ Phased return to production: - Test in isolated environment first - Limited user pilot group - Monitor closely for issues - Gradual increase in load/users - Full production restoration
☐ Enhanced monitoring: - Increase logging and monitoring temporarily - Watch for signs of reinfection or new attacks - Monitor for lateral movement - Alert on suspicious activity - Daily log reviews for first week
Step 4: Resume Normal Operations¶
☐ Communicate restoration: - Notify users that services are restored - Provide any necessary instructions - Set expectations for continued monitoring - Establish feedback channel for issues
☐ Return to normal monitoring: - Resume standard monitoring after [X days] - Remove temporary enhanced controls (if appropriate) - Update monitoring based on lessons learned
Phase 6: Post-Incident Activities¶
Objective: Learn from the incident and improve security posture
Timeline: 1 week after incident resolution Responsible: Incident Response Team, Management
Step 1: Post-Incident Review (PIR)¶
Schedule within 1 week of incident closure for P1/P2 incidents
☐ Conduct PIR meeting: - Invite: IR team, affected stakeholders, management - Review incident timeline - Discuss what went well - Identify what could be improved - Document lessons learned
☐ PIR Agenda: 1. Incident summary and timeline review 2. Detection and reporting effectiveness 3. Response and containment effectiveness 4. Communication effectiveness 5. Tools and resources adequacy 6. Root cause analysis 7. Lessons learned 8. Recommendations and action items
Step 2: Complete Documentation¶
☐ Finalize incident report: - Executive summary - Detailed timeline of events - Actions taken at each phase - Impact assessment (systems, data, users, $$$) - Root cause analysis - Lessons learned - Recommendations
☐ Update knowledge base: - Document new IOCs - Update playbooks based on learnings - Create detection rules for similar incidents - Document new procedures or tools used
☐ Secure evidence and documentation: - Store evidence per retention policy - Archive incident documentation - Ensure proper access controls - Maintain chain of custody
Step 3: Implement Improvements¶
☐ Update security controls: - Patch vulnerabilities identified - Implement new security tools or controls - Update firewall rules or security policies - Enhance monitoring and detection - Improve logging and visibility
☐ Update policies and procedures: - Revise incident response procedures - Update security policies - Improve playbooks and runbooks - Enhance training materials - Update contact lists and escalation procedures
☐ Conduct training: - Share lessons learned with team - Provide additional training on gaps identified - Conduct tabletop exercises on similar scenarios - Update security awareness content
Step 4: Track Remediation¶
☐ Create action items: - Document all recommendations from PIR - Assign owners and deadlines - Prioritize by impact and effort - Track in project management system
☐ Follow up on action items: - Regular status updates (weekly/biweekly) - Remove blockers - Escalate delays - Verify completion - Update stakeholders on progress
Step 5: Report to Management¶
☐ Executive summary report: - Incident overview (non-technical) - Business impact - Financial impact (if applicable) - Lessons learned - Improvements implemented - Recommendations
☐ Metrics and KPIs: - Time to detect - Time to contain - Time to resolve - Systems affected - Users impacted - Data compromised (if any) - Cost of incident
Incident-Specific Playbooks¶
Playbook 1: Ransomware Attack¶
Scenario: Ransomware detected on one or more systems
Immediate Actions (0-15 minutes)¶
☐ DO NOT pay ransom (without executive approval and legal counsel)
☐ Isolate infected systems: - Disconnect from network immediately - Do NOT shut down (may encrypt more files or destroy evidence) - Physically disconnect if necessary
☐ Identify ransomware variant: - Note ransom message and Bitcoin address - Take screenshots of ransom note - Search for decryption tools (No More Ransom project)
Containment (15-60 minutes)¶
☐ Prevent spread: - Scan entire network for additional infections - Isolate affected network segments - Disable file sharing temporarily - Increase monitoring on all systems
☐ Secure backups: - Verify backups are isolated and not encrypted - Test backup integrity - Do NOT connect backup systems to network yet
Eradication and Recovery (Hours to Days)¶
☐ Remove ransomware: - Wipe and rebuild infected systems (do not attempt cleaning) - Install from clean gold images - Apply all patches before connecting to network
☐ Restore data: - Restore from most recent clean backup - Verify data integrity - Test critical functions
☐ Investigate root cause: - Phishing email? - Exploited vulnerability? - Weak passwords / no MFA? - Unpatched systems?
Prevention for Future¶
☐ Implement preventive measures: - Deploy ransomware-specific protection - Improve email filtering and anti-phishing - Enforce MFA everywhere - Harden endpoint security - Improve backup procedures (3-2-1 rule, immutable backups) - Conduct user awareness training on ransomware
Playbook 2: Phishing Attack¶
Scenario: Employee received or clicked on phishing email
Immediate Actions (0-15 minutes)¶
☐ Instruct user to: - NOT click any links or open attachments (if not already done) - NOT respond to the email - NOT forward the email (except to security team) - NOT delete the email (preserve as evidence)
☐ If user clicked link or entered credentials: - Immediately reset user password - Disable user account temporarily - Review account for unauthorized activity - Check for forwarding rules or inbox rules
☐ If user opened attachment: - Isolate user's computer from network - Run full antivirus scan - Check for malware indicators
Investigation (15-60 minutes)¶
☐ Analyze phishing email: - Review email headers - Identify sender (spoofed or compromised account?) - Identify malicious links or attachments - Determine if this is targeted (spear phishing) or mass campaign
☐ Identify scope: - How many employees received the email? - How many clicked / opened? - Were any credentials entered? - Was malware delivered?
Containment¶
☐ Block threat: - Block sender email address and domain - Add URLs to blocklist - Delete email from all mailboxes (if possible) - Add indicators to email security gateway
☐ Protect affected users: - Force password resets for users who entered credentials - Enable MFA if not already enabled - Monitor accounts for suspicious activity
Communication¶
☐ Alert employees: - Send organization-wide phishing alert - Provide description and screenshots - Remind how to report phishing - Reinforce training
Post-Incident¶
☐ Improve defenses: - Update email filtering rules - Enhance anti-phishing training - Consider additional email security tools - Conduct targeted phishing simulation
Playbook 3: Data Breach / Unauthorized Access¶
Scenario: Unauthorized access to sensitive data or confirmed data breach
Immediate Actions (0-15 minutes)¶
☐ Activate P1 incident response (Critical Severity)
☐ Immediately notify: - CISO - CTO - Legal Counsel - CEO (for significant breaches)
☐ Preserve evidence: - Do NOT delete logs - Capture system state - Document everything
Investigation (15-60 minutes)¶
☐ Determine scope: - What data was accessed? - Is it PHI, PII, or other sensitive data? - How many records affected? - Who was the unauthorized party? - How did they gain access? - Was data exfiltrated or just accessed?
☐ Assess impact: - Regulatory notification requirements (HIPAA 60 days, state laws vary) - Customer notification requirements - Reputational impact - Legal/financial impact
Containment¶
☐ Stop unauthorized access: - Disable compromised accounts - Close vulnerability exploited - Block attacker IP addresses - Reset credentials - Implement additional access controls
☐ Prevent further access: - Review all access to affected systems - Remove unnecessary access - Enhance monitoring
Legal and Regulatory¶
☐ Engage legal counsel immediately
☐ Determine notification requirements: - HIPAA Breach Notification Rule (if PHI): 60 days - State breach notification laws (vary by state) - Customer contractual obligations - Regulatory bodies
☐ Prepare notifications: - Draft breach notification letters - Prepare FAQ and talking points - Coordinate with Legal and Communications team
☐ File required reports: - HHS breach notification (if HIPAA) - State Attorney General (if required) - Credit monitoring services (if PII) - Affected individuals
Post-Incident¶
☐ Conduct forensic investigation: - Engage external forensics firm if needed - Determine full extent of breach - Understand attacker's methods - Identify all compromised data
☐ Implement stronger controls: - Address root cause - Enhance data protection - Improve access controls - Increase monitoring
Playbook 4: Lost or Stolen Device¶
Scenario: Company laptop, phone, or other device lost or stolen
Immediate Actions (0-15 minutes)¶
☐ Gather information: - Device type and serial number - Last known location - Data stored on device - Encryption status - Last backup date
☐ If device is lost (not stolen): - Attempt to locate device (Find My Device, MDM locate feature) - Attempt to contact employee if device can be recovered
☐ If device is stolen or cannot be located: - Proceed to remote wipe procedures
Containment (15-30 minutes)¶
☐ Remote wipe device: - Use MDM to remotely wipe device - If MDM not available, use Find My Device or similar - Document wipe attempt and outcome - Confirm successful wipe if possible
☐ Disable access: - Disable user account temporarily - Revoke device certificates - Remove device from allowed device list - Disable VPN access from that device
☐ Reset credentials: - Force user password reset - Notify user to change passwords on personal accounts if stored on device
Investigation¶
☐ Assess data risk: - Was device encrypted? (Y/N) - What data was on the device? - Were credentials saved? - Was device protected with password/PIN?
☐ Determine if breach occurred: - If encrypted and wiped quickly: Low risk - If not encrypted: Assume breach - If sensitive data was on device and not encrypted: Data breach procedures
Notification¶
☐ If PHI or PII was on unencrypted device: - Notify Legal immediately - Assess breach notification requirements - Prepare for regulatory reporting
☐ Report to law enforcement (if theft): - File police report - Provide serial number and device details - Obtain police report number
Recovery¶
☐ Provision replacement device: - Order new device if needed - Restore data from backup - Reconfigure security settings - Re-enroll in MDM
Prevention¶
☐ Implement preventive measures: - Enforce device encryption - Improve MDM coverage - Enhance user training on device security - Review data storage practices (minimize local data)
Playbook 5: Insider Threat¶
Scenario: Suspected malicious or negligent insider activity
Immediate Actions¶
⚠️ CRITICAL: Maintain confidentiality during investigation
☐ Engage HR and Legal immediately
☐ DO NOT alert the subject (may destroy evidence or escalate behavior)
Investigation (Covert)¶
☐ Gather evidence discreetly: - Review access logs - Monitor user activity (if legally permissible) - Interview witnesses (confidentially) - Review email and file access - Check for data exfiltration (large downloads, USB use, cloud uploads)
☐ Assess risk: - Is subject currently employed? - Do they have elevated access? - What data could they access? - Is there ongoing damage?
Containment¶
☐ If threat is confirmed: - Coordinate with HR and Legal on timing - Prepare to disable access immediately - Preserve evidence before access removal - Plan for termination conversation (if terminating)
☐ On day of action: - Disable all access simultaneously (accounts, badges, VPN) - Retrieve all company property - Escort off premises (if applicable) - Preserve computer and files as evidence
Legal Considerations¶
☐ Work closely with Legal on: - Evidence collection procedures - Employee rights and privacy laws - Termination procedures - Potential law enforcement involvement - Civil or criminal action
Recovery¶
☐ Assess damage: - What data was accessed or exfiltrated? - Were systems sabotaged? - Were credentials shared?
☐ Remediate: - Reset shared passwords - Review and remove unauthorized access - Restore sabotaged systems - Review for backdoors or logic bombs
Prevention¶
☐ Enhance insider threat detection: - Implement User and Entity Behavior Analytics (UEBA) - Improve access reviews - Enhance data loss prevention (DLP) - Conduct regular security culture assessments
Communication Templates¶
Template 1: Initial Incident Notification (Internal)¶
Subject: Security Incident Notification - [Incident #] - [Severity]
To: [Incident Response Team / Management]
Date/Time: [Timestamp]
SECURITY INCIDENT NOTIFICATION
An incident has been detected and is currently under investigation.
Incident Details: - Incident ID: [Ticket #] - Severity: [P1 / P2 / P3 / P4] - Status: [Detected / Contained / Under Investigation] - Detected: [Date/Time] - Reported By: John Smith
Brief Description: [1-2 sentence description of what happened]
Affected Systems/Data: [List affected systems, applications, or data]
Estimated Impact: [Users affected, business impact, data impact]
Current Actions: [What is being done right now]
Next Steps: [Planned actions in next 1-4 hours]
Next Update: [When stakeholders can expect next update]
Incident Commander: John Smith - [Contact]
Questions or concerns, contact: John Smith - (555) 123-4567 - hr@acmecorp.com
Template 2: Incident Status Update¶
Subject: Incident Update - [Incident #] - [Date/Time]
To: [Stakeholders]
Date/Time: [Timestamp]
INCIDENT STATUS UPDATE #40
Incident ID: [Ticket #] Severity: [P1 / P2 / P3 / P4] Status: [Contained / Eradication / Recovery / Resolved]
Summary of Actions Since Last Update: - [Action 1] - [Action 2] - [Action 3]
Current Status: [Current state of incident and response]
Next Steps: - [Planned action 1] - [Planned action 2]
Business Impact: [Current impact to operations, users, customers]
Estimated Time to Resolution: [Best estimate or "under investigation"]
Next Update: [Scheduled time for next update]
Contact: [Incident Commander] - (555) 123-4567 - hr@acmecorp.com
Template 3: Incident Closure Notification¶
Subject: Incident Resolved - [Incident #]
To: [Stakeholders]
Date/Time: [Timestamp]
INCIDENT RESOLVED
The security incident reported on January 1, 2025 has been resolved.
Incident ID: [Ticket #] Severity: [P1 / P2 / P3 / P4] Status: RESOLVED
Incident Summary: [Brief description of what happened]
Impact: - Systems Affected: [List] - Data Affected: [Description or "None"] - Users Impacted: [Number or description] - Downtime: [Duration]
Root Cause: [What caused the incident]
Resolution: [How it was resolved]
Preventive Measures Implemented: - [Measure 1] - [Measure 2]
Post-Incident Review: A post-incident review will be conducted on January 1, 2025. Lessons learned and recommendations will be shared.
Questions: [Contact Name] - hr@acmecorp.com
Thank you to everyone involved in the response.
Template 4: User Communication (Service Impact)¶
Subject: Service Impact Notification - [System/Service Name]
To: [All Users / Affected Users]
Dear Team,
We are currently experiencing an issue with [system/service name] that may impact your ability to [describe impact].
What Happened: [Brief, non-technical description]
Who Is Affected: [All users / Specific groups]
Impact: [What users will experience - e.g., slowness, outage, limited access]
What We're Doing: Our IT team is actively working to resolve this issue. We have identified the cause and are implementing a fix.
What You Should Do: - [Specific instructions - e.g., Save your work, Use alternative system, Wait for resolution] - [Any workarounds available]
Estimated Resolution: We expect to have this resolved by [time/date] or will provide an update by 9:00 AM.
Questions: Contact IT Help Desk at (555) 123-4567 or hr@acmecorp.com
We apologize for the inconvenience and appreciate your patience.
Thank you, John Smith Director
Template 5: External Breach Notification (if required)¶
⚠️ Legal Review Required Before Sending
Subject: Important Security Notice
Dear [Customer/Individual Name],
We are writing to inform you of a security incident that may have affected your personal information.
What Happened: [Clear, non-technical description of the breach]
What Information Was Involved: [Specific types of data - e.g., names, addresses, SSN, etc.]
What We're Doing: [Steps taken to investigate and prevent recurrence]
What You Can Do: We recommend you take the following steps to protect yourself: - [Specific recommendations - monitor accounts, change passwords, etc.] - [Credit monitoring services if offering]
For More Information: - Call our dedicated hotline: (555) 123-4567 - Visit: [website URL] - Email: [email address]
We take the security of your information very seriously and sincerely apologize for this incident.
Sincerely,
John Smith Director [Company]
Contact Lists¶
Internal Contacts¶
Executive Leadership¶
| Name | Title | Mobile | Availability | |
|---|---|---|---|---|
| John Smith | CEO | (555) 123-4567 | hr@acmecorp.com | 24/7 for P1 |
| John Smith | CTO | (555) 123-4567 | hr@acmecorp.com | 24/7 for P1/P2 |
| John Smith | CISO | (555) 123-4567 | hr@acmecorp.com | 24/7 for P1/P2 |
| John Smith | CFO | (555) 123-4567 | hr@acmecorp.com | Business hours + P1 |
| John Smith | General Counsel | (555) 123-4567 | hr@acmecorp.com | 24/7 for P1 |
IT Security Team¶
| Name | Role | Mobile | On-Call Days | |
|---|---|---|---|---|
| John Smith | IT Security Manager | (555) 123-4567 | hr@acmecorp.com | Mon-Fri |
| John Smith | Security Analyst 1 | (555) 123-4567 | hr@acmecorp.com | Mon-Wed |
| John Smith | Security Analyst 2 | (555) 123-4567 | hr@acmecorp.com | Thu-Sun |
| John Smith | Security Engineer | (555) 123-4567 | hr@acmecorp.com | As needed |
IT Operations Team¶
| Name | Role | Mobile | On-Call Rotation | |
|---|---|---|---|---|
| John Smith | IT Operations Manager | (555) 123-4567 | hr@acmecorp.com | Backup |
| John Smith | Systems Administrator | (555) 123-4567 | hr@acmecorp.com | Week 1, 3 |
| John Smith | Network Administrator | (555) 123-4567 | hr@acmecorp.com | Week 2, 4 |
Other Key Contacts¶
| Name | Role | Mobile | |
|---|---|---|---|
| John Smith | HR Director | (555) 123-4567 | hr@acmecorp.com |
| John Smith | Communications Director | (555) 123-4567 | hr@acmecorp.com |
| John Smith | Facilities Manager | (555) 123-4567 | hr@acmecorp.com |
External Contacts¶
Legal and Compliance¶
| Organization | Contact | Phone | When to Contact | |
|---|---|---|---|---|
| [Law Firm] | [Attorney Name] | (555) 123-4567 | hr@acmecorp.com | P1 incidents, data breaches, legal issues |
| [Compliance Consultant] | John Smith | (555) 123-4567 | hr@acmecorp.com | HIPAA breaches, regulatory questions |
Insurance and Response Services¶
| Provider | Service | Policy # | Phone | |
|---|---|---|---|---|
| [Insurance Co] | Cyber Insurance | POL-2025-001 | (555) 123-4567 | hr@acmecorp.com |
| [Firm Name] | Incident Response / Forensics | N/A | (555) 123-4567 | hr@acmecorp.com |
| [Firm Name] | Public Relations Crisis Mgmt | N/A | (555) 123-4567 | hr@acmecorp.com |
Law Enforcement (Use Sparingly - Consult Legal First)¶
| Agency | Contact | Phone | When to Contact |
|---|---|---|---|
| FBI Cyber Division | [Local Office] | (555) 123-4567 | Significant cyber crimes, nation-state actors |
| Secret Service (if financial crimes) | [Local Office] | (555) 123-4567 | Financial fraud, data breaches with financial data |
| Local Police | [Department] | [Non-Emergency] | Physical theft, on-premises incidents |
Vendors and Service Providers¶
| Vendor | Service | Support Contact | Phone | Portal/URL | |
|---|---|---|---|---|---|
| AWS | Infrastructure | Enterprise | (555) 123-4567 | hr@acmecorp.com | https://support.acmecorp.com |
| Microsoft 365 | Email Security | Account Manager | (555) 123-4567 | hr@acmecorp.com | https://support.acmecorp.com |
| CrowdStrike | Endpoint Security | 24/7 Support | (555) 123-4567 | hr@acmecorp.com | https://support.acmecorp.com |
Appendix: Incident Response Quick Reference Card¶
🚨 SECURITY INCIDENT RESPONSE QUICK REFERENCE 🚨
If You Discover a Security Incident:¶
- STOP - Don't panic, don't shut down systems
- REPORT - Immediately contact:
- Email: security@acmecorp.com
- Phone: (555) 123-4567
- Slack: #security-incidents
- PRESERVE - Take screenshots, note times
- WAIT - Wait for IR team instructions
Critical Contacts:¶
- Incident Commander: John Smith - (555) 123-4567
- CISO: John Smith - (555) 123-4567
- After Hours: [ON-CALL PHONE]
Severity Levels:¶
- P1 (Critical): Data breach, ransomware, PHI exposure → Report in 15 min
- P2 (High): Major vulnerability, service degradation → Report in 1 hour
- P3 (Medium): Minor incident, isolated issue → Report in 4 hours
- P4 (Low): Suspected event → Report in 1 business day
What to Report:¶
- Who: Your name and contact
- What: Description of incident
- When: Date and time
- Where: Affected systems
- How: How discovered
- Impact: What's affected
DO NOT:¶
- ❌ Shut down systems
- ❌ Delete files or emails
- ❌ Discuss publicly
- ❌ Try to "fix" it yourself
Keep this card handy!
Document Information
Document: Incident Response Playbook Version: 1.0 Effective Date: November 11, 2025 Classification: Internal - Confidential Distribution: Incident Response Team, IT Security, IT Operations, Management Owner: CISO / IT Security Team
This Incident Response Playbook was generated from Acme Corp's Policy Framework demonstrating "Compliance as Code" - instantly generating tactical response procedures worth $5K-10K from well-structured policy documentation.