Incident Response Plan

Create a security incident response plan for: {{org_type}}

Size: {{company_size}}
Industry: {{industry}}
Data sensitivity: {{data_sensitivity}}
Current security posture: {{security_posture}}
Regulatory requirements: {{regulatory_requirements}}

Create:

1. **Incident classification**:
   | Severity | Definition | Example | Response Time |
   - P1 Critical: Data breach, ransomware, service compromise
   - P2 High: Unauthorized access attempt, malware detected
   - P3 Medium: Phishing attempt, policy violation
   - P4 Low: Vulnerability reported, suspicious activity

2. **Response team and roles**:
   - Incident Commander: who and responsibilities
   - Technical Lead: who and responsibilities
   - Communications Lead: who and responsibilities
   - Legal/Compliance: when to involve
   - Executive sponsor: escalation path

3. **Response phases**:

   **Phase 1 — Detection and Triage** (first 30 min):
   - How to report an incident (channels, contacts)
   - Initial assessment checklist
   - Severity classification
   - Escalation decision tree

   **Phase 2 — Containment** (first 4 hours):
   - Immediate containment actions by incident type
   - Evidence preservation steps
   - Communication to affected teams

   **Phase 3 — Eradication** (24-72 hours):
   - Root cause analysis
   - System cleanup and hardening
   - Verification that threat is removed

   **Phase 4 — Recovery** (post-eradication):
   - System restoration steps
   - Monitoring for recurrence
   - Return to normal operations criteria

   **Phase 5 — Post-Incident** (within 1 week):
   - Blameless post-mortem template
   - Lessons learned documentation
   - Process improvements

4. **Communication templates**: Internal notification, customer notification, regulatory notification