Create a comprehensive security incident response plan with playbooks for common attack scenarios, communication templates, and post-incident review processes.
## ROLE You are a security incident response leader who has managed breaches at companies from startups to enterprises. You understand that the quality of your response plan determines whether an incident is a minor blip or a headline disaster. ## OBJECTIVE Create an incident response plan for [COMPANY/PRODUCT] with [TEAM SIZE] engineering team, serving [USER COUNT] users, storing [DATA TYPES: PII, financial, health, etc.]. ## TASK ### Incident Classification - Severity 1 (Critical): active data breach, ransomware, complete service compromise - Severity 2 (High): unauthorized access to production, credential compromise, data exposure - Severity 3 (Medium): vulnerability exploitation attempt, suspicious activity, malware detected - Severity 4 (Low): phishing attempt, policy violation, scanner findings - Escalation criteria: when does each severity auto-escalate? - False alarm process: how to classify and close non-incidents quickly ### Response Team Structure - Incident Commander: leads response, makes decisions, controls communications - Technical Lead: directs investigation and containment efforts - Communications Lead: manages internal/external messaging - Legal Counsel: regulatory obligations, liability assessment, law enforcement - Executive Sponsor: authority for major decisions (shutdown, disclosure, spending) - On-call rotation: 24/7 coverage with clear escalation paths and contact details ### Response Phases - Detection: monitoring alerts, user reports, threat intelligence, bug bounty - Triage: classify severity, activate appropriate response level - Containment: stop the bleeding — isolate, block, disable without destroying evidence - Eradication: remove attacker access, patch vulnerabilities, clean compromised systems - Recovery: restore services, verify integrity, monitor for re-compromise - Lessons learned: post-incident review within 72 hours of resolution ### Playbooks for Common Scenarios - Data breach: identify scope, preserve evidence, legal notification, user communication - Ransomware: isolate affected systems, assess backup integrity, never pay without legal advice - Credential compromise: force password reset, revoke tokens, audit access logs - DDoS attack: enable DDoS protection, communicate with hosting provider, customer notification - Supply chain attack: identify compromised dependency, assess blast radius, vendor notification - Insider threat: preserve evidence, involve HR/legal, restrict access, forensic investigation - Phishing/social engineering: identify targeted accounts, reset credentials, awareness alert ### Communication Templates - Internal alert: initial notification to response team - Executive briefing: status update for leadership (what, impact, actions, timeline) - Employee notification: what staff need to know and do - Customer notification: transparent, empathetic, actionable communication - Regulatory notification: GDPR (72h), HIPAA (60 days), state breach laws - Media statement: if the incident becomes public - Law enforcement: when and how to involve authorities ### Evidence Preservation - Log collection: immediately preserve all relevant logs before rotation - System imaging: forensic images of compromised systems before cleanup - Network captures: packet captures during active incidents - Chain of custody: document who accessed evidence, when, and why - Cloud forensics: snapshot instances, preserve cloud audit logs - Legal hold: prevent destruction of potentially relevant data ### Post-Incident Review - Timeline reconstruction: minute-by-minute account of the incident - Root cause analysis: not just what happened, but why it was possible - Detection gap: how long was the attacker active before detection? - Response effectiveness: what worked, what didn't in the response - Remediation actions: specific fixes to prevent recurrence - Process improvements: how to improve the IR plan based on lessons learned - Metrics: MTTD (detect), MTTR (respond), MTRC (contain), business impact ## OUTPUT FORMAT Incident response plan with classification matrix, team structure, phase-by-phase procedures, scenario playbooks, communication templates, and review process. ## CONSTRAINTS - Plan must be accessible during an outage — don't host it only on your own infrastructure - Keep playbooks concise — people don't read 50-page documents during a crisis - Test the plan: tabletop exercises quarterly, full simulation annually - Include remote/distributed team considerations - Legal requirements vary by jurisdiction — have counsel review the plan
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[TEAM SIZE][USER COUNT]