Incident Response Playbook

Property	Value
Document ID	PROC-005
Version	1.0
Status	Draft
Owner	Chief Information Security Officer (CISO)
Last Updated	2026-01-11
Next Review	2027-01-11
Related Controls	SOC 2: CC7.3, CC7.4, CC7.5 / ISO 27001: A.16.1
Parent Policy	Incident Response Policy (POL-008)

1. Purpose

This playbook provides step-by-step procedures for responding to common security incident types. It serves as an operational guide for the Incident Response Team during active incidents.

2. Incident Response Contacts

2.1 Incident Response Team

Role	Primary	Backup	Contact
Incident Commander	CISO	Security Lead	[phone/slack]
Technical Lead	Security Engineer	Sr. DevOps	[phone/slack]
Communications	PR Manager	Legal	[phone/slack]
Legal	General Counsel	Outside Counsel	[phone/slack]
Executive Sponsor	CEO	COO	[phone/slack]

2.2 External Contacts

Resource	Contact	When to Engage
Cyber Insurance	[policy number / contact]	All P1/P2 incidents
Forensics Firm	[retained firm name]	Evidence collection
Legal (External)	[law firm]	Breach notification
Law Enforcement	FBI IC3 / Local	Criminal activity
PR Agency	[agency name]	Public disclosure

3. Initial Response Checklist

When an incident is detected:

Confirm the incident is real (not false positive)
Classify severity (P1-P4)
Notify appropriate team members per severity
Create incident ticket with unique ID
Start incident timeline documentation
Preserve evidence (do not reboot/wipe affected systems)
Assess immediate containment needs
Communicate status to stakeholders

4. Playbook: Malware/Ransomware

4.1 Detection Indicators

Antivirus/EDR alert
Unusual file encryption activity
Ransom note displayed
Encrypted file extensions
Unusual outbound traffic

4.2 Immediate Actions (First 30 Minutes)

Step	Action	Owner
1	Isolate affected system(s) from network	Security/IT
2	Do NOT power off (preserve memory)	Security
3	Disable network shares from spreading	IT
4	Block known malicious IPs/domains at firewall	Security
5	Capture memory image if feasible	Security
6	Notify Incident Commander	First Responder
7	Activate incident response team	Incident Commander

4.3 Containment (First 4 Hours)

Identify patient zero (initial infection vector)
Identify all affected systems
Block lateral movement paths
Preserve forensic images of key systems
Check backup integrity (are backups affected?)
Assess data exfiltration indicators
Engage cyber insurance and forensics firm

4.4 Eradication and Recovery

Identify malware variant and IOCs
Scan all systems for IOCs
Remove malware artifacts
Reset affected credentials
Patch exploited vulnerability
Restore from clean backups (verify integrity)
Rebuild systems if necessary
Monitor for re-infection

4.5 Ransomware-Specific Guidance

Decision	Guidance
Do NOT pay ransom	Without legal/executive approval and law enforcement consultation
Preserve ransom note	Screenshot and preserve as evidence
Identify variant	Check ID Ransomware or similar
Check for decryptor	No More Ransom project
Report	FBI IC3, CISA

5. Playbook: Phishing/Compromised Credentials

5.1 Detection Indicators

User reports clicking phishing link
Suspicious login from unusual location
MFA prompt not initiated by user
Unusual email forwarding rules
Impossible travel alert

5.2 Immediate Actions

Step	Action	Owner
1	Reset user's password immediately	Security/IT
2	Revoke active sessions	Security/IT
3	Check MFA status (reset if compromised)	Security
4	Review recent login activity	Security
5	Check for email forwarding rules	Security
6	Review OAuth app consents	Security
7	Block sender/domain in email gateway	IT
8	Notify other recipients of phishing email	Security

5.3 Investigation Steps

Analyze phishing email (headers, links, attachments)
Identify all users who received the email
Identify users who clicked/submitted credentials
Review actions taken with compromised credentials
Check for data access or exfiltration
Check for persistence (new accounts, OAuth apps, MFA changes)

5.4 Recovery

Ensure all compromised credentials reset
Re-enroll MFA if compromised
Remove malicious email from all mailboxes
Add IOCs to blocklists
Provide targeted awareness training to affected user

6. Playbook: Unauthorized Access

6.1 Detection Indicators

Access from unusual location/IP
Access outside normal hours
Access to unusual resources
Privilege escalation detected
New admin account created

6.2 Immediate Actions

Step	Action	Owner
1	Disable suspected compromised account	Security
2	Review access logs for affected account	Security
3	Identify systems/data accessed	Security
4	Check for persistence mechanisms	Security
5	Review for lateral movement	Security

6.3 Investigation Steps

Determine initial access vector
Map attacker activity timeline
Identify all accounts used by attacker
Identify data accessed or exfiltrated
Check for backdoors or malware
Review privilege escalation path

6.4 Recovery

Reset all compromised credentials
Remove unauthorized accounts
Remove persistence mechanisms
Patch exploited vulnerability
Enhance monitoring for similar activity

7. Playbook: Data Breach

7.1 Detection Indicators

Sensitive data found externally
Large data export/download
Database extraction detected
Notification from third party

7.2 Immediate Actions

Step	Action	Owner
1	Confirm data is legitimate organizational data	Security
2	Stop ongoing exfiltration if active	Security
3	Notify Incident Commander	First Responder
4	Engage Legal immediately	Incident Commander
5	Preserve evidence	Security
6	Notify cyber insurance carrier	CISO

7.3 Investigation Steps

Identify what data was exposed
Identify how many records/individuals affected
Determine data classification level
Identify root cause and timeline
Assess regulatory notification requirements

7.4 Notification Requirements

Regulation	Timeline	Requirement
GDPR	72 hours	Notify supervisory authority
GDPR	Without undue delay	Notify affected individuals (if high risk)
State breach laws	Varies (24h-60 days)	Notify affected residents
Contractual	Per contract	Notify customers/partners

7.5 Recovery

Address root cause
Implement additional controls
Complete required notifications
Offer identity protection to affected individuals (if applicable)
Document lessons learned

8. Playbook: Denial of Service (DoS/DDoS)

8.1 Detection Indicators

Service degradation or outage
Spike in traffic volume
CDN/WAF alerts
Resource exhaustion

8.2 Immediate Actions

Step	Action	Owner
1	Confirm attack vs legitimate traffic	IT/Security
2	Engage DDoS mitigation service	IT
3	Enable rate limiting/geo-blocking	IT
4	Scale infrastructure if possible	DevOps
5	Communicate with customers	Communications

8.3 Mitigation Techniques

Technique	Implementation
Rate limiting	WAF/Load balancer
Geo-blocking	Block attacking regions
Traffic scrubbing	DDoS provider
Null routing	Upstream provider
Auto-scaling	Cloud infrastructure

9. Communication Templates

9.1 Initial Internal Notification

SECURITY INCIDENT - [SEVERITY LEVEL]

Incident ID: [INC-XXXX]
Time Detected: [timestamp]
Status: Investigating

Summary: [brief description]

Current Impact: [systems/users affected]

Response Team: [names]

Next Update: [time]

Do not discuss externally. Updates via [channel].

9.2 Status Update Template

INCIDENT UPDATE - [INC-XXXX]

Status: [Investigating/Contained/Eradicated/Resolved]

Progress:
- [action completed]
- [action completed]

Next Steps:
- [planned action]

ETA for Resolution: [estimate]

Next Update: [time]

9.3 External Customer Notification (if needed)

Subject: Security Incident Notification

We are writing to inform you of a security incident 
that may have affected [description].

What Happened: [brief, factual description]

What Information Was Involved: [data types]

What We Are Doing: [response actions]

What You Can Do: [recommended actions]

For More Information: [contact]

10. Post-Incident Activities

10.1 Post-Incident Review (Within 5 Business Days)

Conduct review covering:

10.2 Post-Incident Report Template

Section	Content
Executive Summary	High-level overview for leadership
Timeline	Chronological events
Impact Assessment	Systems/data/users affected
Root Cause Analysis	How and why it happened
Response Actions	What was done
Lessons Learned	Improvements identified
Recommendations	Action items with owners/dates

10.3 Improvement Actions

11. Evidence Collection Guide

11.1 Evidence Types

Evidence	Collection Method	Priority
Memory image	Memory dump tool	High
Disk image	Forensic imaging	High
Network logs	SIEM export	High
System logs	Log collection	High
Malware samples	Isolated collection	Medium
Screenshots	Screen capture	Medium

11.2 Chain of Custody

For each piece of evidence, document:

What was collected
When it was collected
Who collected it
How it was collected
Where it is stored
Who has accessed it

12. Related Documents

13. Version History

Version	Date	Author	Changes
1.0	2026-01-11	Security Team	Initial release

This document is classified as INTERNAL. Unauthorized distribution is prohibited.