Cyber Incident Response Plan (IRP)

hereDigital Dames1. Purpose. The purpose of this cyber incident response plan (“IRP”) is to provide a structured and systematic incident response process for all information security incidents (as defined in Section 4, Definitions) that affect any of Digital Dame’s information technology (“IT”) systems, network, or data, including Digital Dame’s data held or IT services provided by third-party vendors or other service providers.

1.1 Specifically, Digital Dames intends for this IRP to:

(a) Define Digital Dame’s cyber incident response process and provide step-by-step guidelines for establishing a timely, consistent, and repeatable incident response process.

(b) Assist Digital Dames and any applicable third parties in quickly and efficiently responding to and recovering from different levels of information security incidents.

(c) Mitigate or minimize the effects of any information security incident on Digital Dames, clients, employees, or others.

(d) Help Digital Dames consistently document the actions it takes in response to information security incidents.

(e) Reduce overall risk exposure for Digital Dames.

(d) Engage stakeholders and drive appropriate participation in resolving information security incidents while fostering continuous improvement in Digital Dame’s information security program and incident response process.

1.2 Digital Dames developed and maintains this IRP as may be required by applicable laws and regulations[, including [APPLICABLE LAWS AND REGULATIONS]].

2. Scope. This IRP applies to all Digital Dames business groups, divisions, and subsidiaries; their employees, contractors, officers, and directors; and Digital Dame’s IT systems, network, data, and any computer systems or networks connected to Digital Dame’s network.

2.1 Other Plans and Policies. Digital Dames may, from time to time, approve and make available more detailed or location or work group-specific plans, policies, procedures, standards, or processes to address specific information security issues or incident response procedures. Those additional plans, policies, procedures, standards, and processes are extensions to this IRP. You may find approved information security policies and other resources here.

3. Accountability. Digital Dames has designated CTO/Jaclyn Hawtin to implement and maintain this IRP (the “information security coordinator”).

3.1 Information Security Coordinator Duties. Among other information security duties, as defined in Digital Dame’s written information security program (“WISP”) available here, the information security coordinator shall be responsible for:

(a) Implementing this IRP.

(b) Identifying the incident response team (“IRT”) and any appropriate sub-teams to address specific information security incidents, or categories of information security incidents (see Section 5, Incident Response Team).

(c) Coordinating IRT activities, including developing, maintaining, and following appropriate procedures to respond to and document identified information security incidents (see Section 6, Incident Response Procedures).

(d) Conducting post-incident reviews to gather feedback on information security incident response procedures and address any identified gaps in security measures (see Section 6.7, Post-Incident Review).

(e) Providing training and conducting periodic exercises to promote employee and stakeholder preparedness and awareness of this IRP (see Section 7, Plan Training and Testing).

(f) Reviewing this IRP at least annually, or whenever there is a material change in Digital Dame’s business practices that may reasonably affect its cyber incident response procedures (see Section 8, Plan Review).

3.2 Enforcement. Violations of or actions contrary to this IRP may result in disciplinary action, in accordance with Digital Dame’s information security policies and procedures and human resources policies. Please see [HR POLICIES REFERENCE] for details regarding Digital Dame’s disciplinary process.

4. Definitions. The terms defined below apply throughout this IRP:

4.1 “Confidential Information.” Confidential information means information as defined in Digital Dame’s WISP/information security policy available at WISP that may cause harm to Digital Dames or its clients, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available.

4.2 “Personal Information.” Personal information means individually identifiable information [as defined in Digital Dame’s [WISP/information security policy] available at [WISP OR POLICY REFERENCE]/that [ORGANIZATION] owns, licenses, or maintains and that is from or about an individual including, but not limited to (a) first and last name; (b) home or other physical address, including street name and name of city or town; (c) email address or other online information, such as a user name and password; (d) telephone number; (e) government-issued identification or other number; (f) financial or payment card account number; (g) date of birth; (h) health information, including information [regarding the individual’s medical history or mental or physical condition, or medical treatment or diagnosis by a health care professional/created or received by [ORGANIZATION]]; and (i) any information that is combined with any of (a) through (h) above].

4.3 “Information Security Incident.” Information security incident means an actual or reasonably suspected (a) loss or theft of confidential or personal information; (b) unauthorized use, disclosure, acquisition of or access to, or other unauthorized processing of confidential or personal information that reasonably may compromise the privacy or confidentiality, integrity, or availability of confidential or personal information; or (c) unauthorized access to or use of, inability to access, loss or theft of, or malicious infection of [ORGANIZATION]’s IT systems or third party systems that reasonably may compromise the privacy or confidentiality, integrity, or availability of confidential or personal information or [ORGANIZATION]’s operating environment or services.

4.4 [[ADDITIONAL TERM(S)]. [DEFINITION.]]

5. Incident Response Team. The incident response team (“IRT”) is a predetermined group of [ORGANIZATION] employees and resources responsible for responding to information security incidents.

5.1 Role. The IRT provides timely, organized, informed, and effective response to information security incidents to (a) avoid loss of or damage to [ORGANIZATION]’s IT systems, network, and data; (b) minimize economic, reputational, or other harms to [ORGANIZATION] and its [customers/clients], employees, and partners; and (c) manage litigation, enforcement, and other risks.

5.2 Authority. Through this IRP, [ORGANIZATION] authorizes the IRT to take reasonable and appropriate steps necessary to mitigate and resolve information security incidents, in accordance with the escalation and notification procedures defined in this IRP.

5.3 Responsibilities. The IRT is responsible for:

(a) Addressing information security incidents in a timely manner, according to this IRP.

(b) Managing internal and external communications regarding information security incidents.

(c) Reporting its findings to management and to applicable authorities, as appropriate.

(d) Reprioritizing other work responsibilities to permit a timely response to information security incidents on notification.

5.4 IRT Roster. The IRT consists of a core team, led by the information security coordinator, with representatives from key [ORGANIZATION] groups and stakeholders. The current IRT roster [is available at [IRT ROSTER LOCATION]/includes the following individuals:

[FUNCTION], [NAME], [CONTACT INFORMATION], [ALTERNATE/DESIGNATE CONTACT INFORMATION]]

(a) Sub-Teams and Additional Resources. The information security coordinator assigns and coordinates the IRT for any specific information security incident according to incident characteristics and [ORGANIZATION] needs. The information security coordinator may:

(i) Identify and maintain IRT sub-teams to address specific information security incidents, or categories of information security incidents.

[SUB-TEAMS LISTING]

(ii) Call on external individuals, including vendor, service provider, or other resources, to participate on specific-event IRTs, as necessary.

[EXTERNAL RESOURCES LISTING]

6. Incident Response Procedures. [ORGANIZATION] shall develop, maintain, and follow incident response procedures as defined in this Section 6 to respond to and document identified information security incidents.

[ORGANIZATION] recognizes that following initial escalation, the information security incident response process is often iterative, and the steps defined in Sections 6.3, Investigation and Analysis; 6.4, Containment, Remediation, and Recovery; 6.5, Evidence Preservation; and 6.6, Communications and Notification may overlap or the IRT may revisit prior steps to respond appropriately to a specific information security incident.

[[ORGANIZATION] may, from time to time, approve and make available more specific procedures for certain types of information security incidents. Those additional procedures and checklists are extensions to this IRP. [You may find approved information security policies and other resources at [RESOURCE LISTING].]]

6.1 Detection and Discovery. [ORGANIZATION] shall develop, implement, and maintain procedures to detect, discover, and assess potential information security incidents through automated means and individual reports.

(a) Automated Detection. [ORGANIZATION] shall develop, implement, and maintain automated detection means and other technical safeguards [as described in [ORGANIZATION]’s [[WISP]/information security policy] available at [WISP OR POLICY REFERENCE]/including [AUTOMATED DETECTION MEANS DESCRIPTION]].

(b) Reports from Employees or Other Internal Sources. Employees, or others authorized to access [ORGANIZATION]’s IT systems, network, or data, shall immediately report any actual or suspected information security incident to [INTERNAL INCIDENT REPORTING CONTACT]. Individuals should report any information security incident they discover or suspect immediately and must not engage in their own investigation or other activities unless authorized.

(c) Reports from External Sources. External sources who claim to have information regarding an actual or alleged information security incident should be directed to [EXTERNAL INCIDENT REPORTING CONTACT]. Employees who receive emails or other communications from external sources regarding information security incidents that may affect [ORGANIZATION] or others, security vulnerabilities, or related issues shall immediately report those communications to [INTERNAL INCIDENT REPORTING CONTACT] and shall not interact with the source unless authorized.

(d) Assessing Potential Incidents. [ORGANIZATION] shall assign resources and adopt procedures to timely assess automated detection results, screen internal and external reports, and identify actual information security events. [ORGANIZATION] shall document each identified information security incident, with initial details, using [INCIDENT DOCUMENTATION TOOL OR PROCESS].

6.2 Escalation. Following identification of an information security incident, the information security coordinator, or a designate, shall perform an initial risk-based assessment and determine the level of response required based on the incident’s characteristics, including affected systems and data, and potential risks and impact to [ORGANIZATION] and its [customers/clients], employees, or others.

Based on the initial assessment, the information security coordinator, or a designate, shall:

(a) IRT Activation. Notify and activate the IRT, or a sub-team, including any necessary external resources (see Section 5.4, IRT Roster).

[ACTIVATION CRITERIA AND ACTION DETAILS]

(b) IRT Expectations. Set expectations for IRT member replay and engagement.

[REPLY AND ENGAGEMENT EXPECTATION DETAILS]

(c) Initial Notifications. Notify (if necessary) organizational leadership and any applicable business partners or service providers[, [ORGANIZATION]’s cyber insurance carrier,][ and law enforcement or other authorities] (see Section 6.6, Communications and Notifications).

6.3 Investigation and Analysis. On activation, the IRT shall collaborate to investigate each identified information security incident, analyze its affects, and formulate an appropriate response plan to contain, remediate, and recover from the incident.

The IRT shall document its investigation and analysis for each identified information security incident using

[INCIDENT DOCUMENTATION TOOL OR PROCESS].
[INVESTIGATION AND ANALYSIS PROCESS DETAILS]

6.4 Containment, Remediation, and Recovery. Next, the IRT shall direct execution of the response plan it formulates according to its incident investigation and analysis to contain, remediate, and recover from each identified information security incident, using appropriate internal and external resources (see Section 6.3, Investigation and Analysis).

The IRT shall document its response plans and the activities completed for each identified information security incident using [INCIDENT DOCUMENTATION TOOL OR PROCESS].

[CONTAINMENT, REMEDIATION, AND RECOVERY PROCESS DETAILS]

6.5 Evidence Preservation. The IRT shall direct appropriate internal or external resources to capture and preserve evidence related to each identified information security incident during investigation, analysis, and response activities (see Sections 6.3, Investigation and Analysis and 6.4, Containment, Remediation, and Recovery). The IRT shall seek counsel’s advice[, as needed,] to establish appropriate evidence handling and preservation procedures and reasonably identify and protect evidence for specific information security incidents.

[EVIDENCE PRESERVATION PROCESS AND TOOLS DETAILS]

6.6 Communications and Notifications. For each identified information security incident, the IRT shall determine and direct appropriate internal and external communications and any required notifications. Only the IRT may authorize information security incident-related communications or notifications. The IRT shall seek counsel’s advice[, as needed,] to review communications and notifications targets, content, and protocols.

(a) Internal Communications. [Working with [INTERNAL COMMUNICATIONS GROUP], the/The] IRT shall prepare and distribute any internal communications it deems appropriate to the characteristics and circumstances of each identified information security incident.

(i) Organizational Leadership. The IRT shall alert organizational leadership to the incident and explain its potential impact on [ORGANIZATION], its [customers/clients], employees, and others as details become available.

(ii) General Awareness and Resources. As appropriate, the IRT shall explain the incident to [ORGANIZATION]’s employees and other stakeholders and provide them with resources to appropriately direct questions from [customers/clients], media, or others.

(b) External Communications. [Working with [PUBLIC RELATIONS GROUP], the/The] IRT shall prepare and distribute any external communications it deems appropriate to the characteristics and circumstances of each identified information security incident.

(i) Public Statements. If [ORGANIZATION] determines that external statements are necessary, the IRT shall provide consistent, reliable information to the media and public regarding the incident using [ORGANIZATION]’s website, press releases, or other means.

[PLANNED RECIPIENTS CONTACT INFORMATION]

[LOCATION FOR PREPARED FORMS, TEMPLATES, OR OTHER EXTERNAL COMMUNICATION EXAMPLES]

(ii) Law Enforcement. The IRT shall report criminal activity or threats to applicable authorities, as [ORGANIZATION] deems appropriate.

[LAW ENFORCEMENT CONTACT LIST]

(c) Notifications. While the IRT may choose to authorize discretionary communications, certain laws, regulations, and contractual commitments may require [ORGANIZATION] to notify various parties of some information security incidents. If applicable to a specific information security incident, as required, the IRT shall:

(i) Authorities. Notify applicable regulators, law enforcement, or other authorities.

[APPLICABLE AUTHORITIES AND NOTIFICATION PROCESS DETAILS]

(ii) Affected Individuals. If an applicable breach of personal information occurs, prepare and distribute notifications to affected individuals.

[PROCESS DETAILS TO IDENTIFY AFFECTED INDIVIDUALS AND PREPARE AND DISTRIBUTE NOTIFICATIONS]

[LOCATION FOR NOTIFICATION LETTER TEMPLATES]

(iii) [Cyber Insurance Carrier. Notify [ORGANIZATION]’s cyber insurance carrier according to the terms and conditions of its current policy, including filing a claim, if appropriate.

[CYBER INSURANCE CONTACT INFORMATION AND PROCESS DETAILS]]

(iv) [Others. Notify [customers/clients] or business partners according to current agreements.

[CONTACT INFORMATION AND PROCESS DETAILS REGARDING OTHER REQUIRED NOTIFICATIONS]]

6.7 Post-Incident Review. [At a time reasonably following/Within [DAYS] of] each identified information security incident, the information security coordinator, or a designate, shall reconvene the IRT, others who participated in response to the incident, and affected work group representatives, as appropriate, as a post-incident review team to assess the incident and [ORGANIZATION]’s response.

(a) Review Considerations. The post-incident review team shall consider [ORGANIZATION]’s effectiveness in detecting and responding to the incident and identify any gaps or opportunities for improvement. The post-incident review team shall also seek to identify one or more root causes for the incident and, according to risk, shall recommend appropriate actions to minimize the risks of recurrence.

(b) Report. The post-incident review team shall document its findings using [INCIDENT DOCUMENTATION TOOL OR PROCESS].

(c) Follow-Up Actions. The information security coordinator shall monitor and coordinate completion of any follow-up actions identified by the post-incident review team, including communicating its recommendations to and seeking necessary authorization or support from [ORGANIZATION] leadership.

7. Plan Training and Testing.

7.1 Training. The information security coordinator shall develop, maintain, and deliver training regarding this IRP that periodically[, but at least annually]:

(a) Informs all employees, and others who have access to [ORGANIZATION]’s IT systems, network, or data, about the IRP and how to recognize and report potential information security incidents.

(b) Educates IRT members on their duties and expectations for responding to information security incidents.

[The information security coordinator may choose to include training on this IRP in other information security training activities as defined in [ORGANIZATION]’s [WISP/information security policy] available at [WISP OR POLICY REFERENCE].] [Training materials and resources are available at [TRAINING REFERENCE].]

7.2 Testing. The information security coordinator shall coordinate exercises to test this IRP periodically[, but at least annually]. The information security coordinator shall document test results, lessons learned, and feedback and address them in plan reviews (see Section 8, Plan Review).

[IRP TESTING DETAILS]

8. Plan Review. [ORGANIZATION] will review this IRP at least annually, or whenever there is a material change in [ORGANIZATION]’s business practices that may reasonably affect its cyber incident response procedures. Plan reviews will also include feedback collected from post-incident reviews and training and testing exercises. The information security coordinator must approve any changes to this IRP and is responsible for communicating changes to affected parties.

[Send any suggested changes or other feedback on this IRP to [INFORMATION SECURITY COORDINATOR CONTACT INFORMATION].]

9. Effective Date. This IRP is effective as of [EFFECTIVE DATE].

9.1 Revision History.

(a) Original publication: [ORIGINAL PUBLICATION DATE].

(b) [NOTE SUBSEQUENT REVISIONS.]