Incident Response Plan Template
Customizable template for small businesses — LevoySec
Instructions: Replace all bracketed [placeholder] text with your organization's specific information. Review and update this plan at least annually and after any significant incident.
1. Purpose & Scope
This Incident Response Plan (IRP) establishes procedures for [Your Company Name] to detect, respond to, contain, and recover from cybersecurity incidents. It applies to all employees, contractors, and systems.
2. Incident Response Team
| Role |
Name |
Phone |
Email |
| Incident Commander |
[Name] |
[Phone] |
[Email] |
| Technical Lead |
[Name / MSSP Contact] |
[Phone] |
[Email] |
| Communications Lead |
[Name] |
[Phone] |
[Email] |
| Legal Counsel |
[Name / Firm] |
[Phone] |
[Email] |
| Insurance Broker |
[Name / Firm] |
[Phone] |
[Policy #] |
3. Incident Classification
| Severity |
Description |
Response Time |
Examples |
| Critical |
Active data breach or system compromise |
Immediate (within 1 hour) |
Ransomware, confirmed data exfiltration, compromised admin account |
| High |
Likely breach or significant threat |
Within 4 hours |
Successful phishing with credential theft, malware detection, unauthorized access attempt |
| Medium |
Potential threat requiring investigation |
Within 24 hours |
Suspicious email with attachment opened, unusual login activity, policy violation |
| Low |
Minor security event |
Within 72 hours |
Failed login attempts, phishing email reported (not clicked), minor policy deviation |
4. Response Procedures
Phase 1: Detection & Reporting
- Any employee who suspects a security incident must report it immediately to [Incident Commander name/contact]
- Do NOT attempt to investigate or remediate on your own
- Do NOT turn off or restart affected systems (unless directed)
- Document what you observed: time, affected system, what happened
- Incident Commander classifies severity and activates appropriate response
Phase 2: Containment
- Isolate affected systems from the network (disconnect Ethernet, disable Wi-Fi)
- Disable compromised accounts
- Block known malicious IPs or domains at the firewall
- Preserve evidence — do not delete logs, emails, or files
- Contact MSSP/Technical Lead for forensic support
Phase 3: Eradication & Recovery
- Identify root cause and attack vector
- Remove malware, close vulnerabilities, reset credentials
- Restore systems from known-good backups
- Verify systems are clean before reconnecting to network
- Monitor restored systems closely for 72 hours
Phase 4: Notification
- Notify cyber insurance carrier within [timeframe per policy, typically 24–72 hours]
- Consult legal counsel on regulatory notification requirements
- If personal data was compromised, follow applicable breach notification laws
- Prepare internal and external communications per Communications Lead
Phase 5: Post-Incident Review
- Conduct a post-incident review within 5 business days
- Document: timeline, root cause, what worked, what didn't
- Update this IRP based on lessons learned
- Implement additional controls to prevent recurrence
- Brief all staff on relevant findings
5. Communication Templates
Internal Notification (to all staff)
Subject: Security Incident — Action Required
Team,
We are responding to a security incident affecting [describe scope]. Please [specific instructions — e.g., "do not use email on your desktop until further notice" or "reset your password immediately at this link"].
Do NOT discuss this incident externally or on social media. All inquiries should be directed to [Communications Lead].
We will provide an update by [time/date].
[Incident Commander Name]
External Notification (to affected parties)
Subject: Important Notice About Your Information
Dear [Name],
We are writing to inform you of a security incident that may have involved your personal information. [Describe what happened, when it was discovered, and what information was affected.]
We have taken the following steps: [List remediation actions].
We recommend you [specific protective actions — e.g., monitor credit reports, change passwords].
If you have questions, please contact us at [phone/email].
Sincerely,
[Company Name]
6. Key Contacts
| Contact | Details |
|---|
| MSSP / Security Provider | [LevoySec — security@levoysec.com] |
| Cyber Insurance | [Carrier name, policy #, claims phone] |
| Legal Counsel | [Firm, contact name, phone] |
| FBI / IC3 | ic3.gov — for reporting cybercrime |
| CISA | cisa.gov/report — for reporting incidents |
7. Plan Maintenance
This plan must be:
- Reviewed and updated at least annually
- Updated after any significant incident
- Tested via tabletop exercise at least annually
- Distributed to all incident response team members
Last updated: [Date]
Next review due: [Date + 12 months]
Approved by: [Name, Title]