Cybersecurity Incident Response Plan (Sector & State-Specific)
Overview
Draft a cybersecurity Incident Response Plan aligned with NIST SP 800-61r3 (2024), tailored to industry sector (HIPAA, GLBA, NYDFS, SEC Reg S-P, PCI DSS v4.0, NERC CIP, CMMC/DFARS, CIRCIA) and state breach notification laws across all 50 states + DC. Includes detection playbooks, escalation procedures, evidence preservation, legal hold, and state-by-state notification timeline matrix.
Generic NIST-aligned templates ignore sector-specific requirements and state breach notification laws — timelines range from 30 to 90 days, some require AG notification, and sector regulations impose clocks as short as 1 hour (NERC CIP) or 72 hours (NYDFS, DFARS). This skill produces a complete IRP aligned with the 2024 NIST revision’s iterative phase model, with sector-specific regulatory mapping and a built-in state breach notification database covering all 50 US states plus DC.
Getting Started
Add your source materials to the project workspace — existing security policies, network architecture diagrams, vendor lists, cyber insurance policy, and any prior incident reports — then activate the Cybersecurity Incident Response Plan (Sector & State-Specific) skill. The agent will guide you through profiling, phase mapping, regulatory notification, and playbook development.
Example Conversation
Below is an example of how a typical IRP session unfolds. The agent gathers the organization profile, maps regulatory obligations, generates state notification timelines, and iteratively validates the plan.
You: We need to create a cybersecurity incident response plan for our company. We’re a healthcare technology company — SaaS platform that processes patient data for hospitals. We operate in 12 states.
Agent: I’ll help you draft a NIST SP 800-61r3-aligned IRP. Let me gather your organization profile:
- Which regulatory frameworks apply? Based on healthcare SaaS processing patient data, I’m assuming HIPAA at minimum. Do you also process payment card data (PCI DSS)?
- Which 12 states do you operate in?
- What data types do you handle? (PHI, PII, financial data, etc.)
- What’s your infrastructure — cloud, on-premises, or hybrid? Which cloud providers?
- What security tools are in place? (SIEM, EDR, SOAR, etc.)
- Do you have cyber insurance? If so, does the policy specify approved forensic vendors or breach counsel?
You: HIPAA and we also accept credit cards so PCI DSS. States: CA, TX, NY, FL, IL, PA, OH, NC, CO, WA, MA, NJ. Data is PHI and PII, some payment card data. AWS us-east-1 and us-west-2. We have CrowdStrike EDR and Splunk SIEM. Yes, we have cyber insurance through Beazley — they have a panel of approved vendors.
Agent: Understood. Two sector-specific frameworks plus 12 states with varying notification laws. Let me run the breach notification mapper for your states…
Here’s your state notification timeline — note the critical findings:
State Deadline AG Notification Key Notes California Expedient Required (500+) CCPA private right of action for unencrypted PI North Carolina 30 days Required One of the strictest US timelines (SB 300, 2022) New Jersey 30 days Required NJSA 56:8-166.1, effective 2023 Colorado 30 days Required (500+) Very strict Washington 30 days Required (500+) Florida 30 days Required (500+) New York Expedient Required SHIELD Act — notify AG, DFS, state police Massachusetts Expedient Required Must describe security steps taken … … … … Important: You have 6 states with 30-day deadlines and 4 requiring AG notification. Your IRP must default to the most restrictive deadline — 30 days — for all notifications unless state-specific analysis confirms a longer window. Also, NY triggers NYDFS 23 NYCRR 500 (72-hour DFS notification) if any of your hospital customers are DFS-regulated.
For sector requirements:
- HIPAA: Individual notification within 60 days of discovery; HHS notification within 60 days for 500+ individuals; media notification for 500+ in a single state
- PCI DSS v4.0: Notify acquiring bank and card brands immediately; engage PCI Forensic Investigator; preserve evidence for 365 days
Let me now build the NIST phases. What does your current IR team look like — who’s on call for security incidents?
You: Our CISO leads IR, with a 3-person security team. We use a 24/7 MDR service from CrowdStrike for after-hours. We don’t have an outside forensics firm on retainer.
Agent: I recommend establishing a retainer with a Beazley-approved forensics firm before an incident occurs — it avoids delays during an active breach. I’ve noted this in the Prepare phase.
I’ve built the IRP structure and run the completeness checker. There are 3 errors:
- [ERROR] Missing detection playbooks — ransomware, BEC, and data exfiltration playbooks are required per NIST Prepare phase and cyber insurance underwriting standards
- [ERROR] Missing evidence preservation and chain of custody procedures — required for law enforcement referral and PCI DSS 365-day retention
- [ERROR] Healthcare/HIPAA sector: HIPAA Breach Notification Rule requirements not addressed in regulatory notifications
Let’s start with the ransomware playbook since that’s the highest-probability, highest-impact scenario for healthcare SaaS. What’s your backup strategy — and are backups air-gapped or isolated from the production environment?
Sample Output Excerpt
Below is a representative excerpt from a generated IRP, showing the Regulatory Notification Matrix and a Ransomware Playbook — the sections most critical during an active incident.
7. Regulatory Notification Matrix
Upon confirmation that a security incident constitutes a reportable breach under one or more of the following frameworks, the IR Lead and General Counsel shall initiate notifications per the timelines below. All notifications are coordinated through outside breach counsel to preserve attorney-client privilege.
| Framework | Notification Recipient | Deadline | Trigger | Evidence Retention |
|---|---|---|---|---|
| HIPAA (45 CFR §164.404-408) | Affected individuals | ≤60 calendar days from discovery | Breach of unsecured PHI per 4-factor risk assessment | 6 years (HIPAA Administrative Simplification) |
| HIPAA (500+ individuals) | HHS OCR portal | ≤60 calendar days from discovery | Breach affecting 500+ individuals | |
| HIPAA (500+ in single state) | Prominent media outlet in state | ≤60 calendar days from discovery | 500+ residents of a single state/jurisdiction | |
| PCI DSS v4.0 (Req. 12.10) | Acquiring bank, card brands | Immediately upon suspicion | Suspected compromise of cardholder data environment | 365 days |
| PCI DSS v4.0 | PCI Forensic Investigator (PFI) | Within 24 hours of notification | Card brand directive | 365 days |
| NYDFS 23 NYCRR 500 | NY Dept. of Financial Services | ≤72 hours | Qualifying cybersecurity event (if DFS-regulated entity or BA to DFS entity) | Per DFS requirements |
| State breach laws (12 states) | See State Notification Matrix below | Most restrictive: 30 days | Breach of unencrypted personal information | Per state statute |
| State AG (where required) | State Attorney General | Concurrent with or before individual notice | CA (500+), NY, NJ, NC, CO (500+), WA (500+), FL (500+), MA, OH (1,000+), PA, IL | |
| FBI / IC3 | FBI field office, IC3 (ic3.gov) | As soon as practicable | Any suspected criminal cyber intrusion | |
| Cyber Insurance (Beazley) | Beazley claims line | As soon as practicable; before engaging non-panel vendors | Any incident that may give rise to a claim | Per policy terms |
10.1 Ransomware Detection and Response Playbook
Phase: Detect
- CrowdStrike EDR alert:
RansomwareActivity,SuspiciousEncryption, orShadowCopyDeletion - Splunk SIEM correlation: high-volume file rename events (>1,000 files/minute with entropy change), vssadmin/wmic shadow delete commands, known ransomware C2 beacon patterns
- User reports: inability to open files, ransom note displayed
Phase: Analyze (concurrent with Detect)
- Determine scope: which hosts, network segments, data stores are affected
- Identify ransomware variant (file extension, ransom note content, YARA signature)
- Determine encryption status: in progress (containable) vs. complete
- Identify initial access vector: phishing email, exposed RDP, vulnerability exploit, supply chain
- Assess whether PHI or payment card data is in affected systems (triggers HIPAA and PCI notification)
Phase: Contain
- Isolate affected systems — Network isolation via CrowdStrike network containment or VLAN changes. Do NOT power off systems (preserves memory artifacts).
- Block C2 infrastructure — Add ransomware C2 domains/IPs to firewall and DNS sinkhole. Update threat intelligence feeds in Splunk.
- Disable compromised accounts — Reset passwords and revoke active sessions for all accounts on affected systems. Revoke OAuth tokens and API keys.
- Preserve forensic evidence — Capture memory dumps and disk images of affected systems BEFORE any remediation. Tag and document chain of custody.
- Assess lateral movement — Review authentication logs for credential reuse across systems. Check for persistence mechanisms (scheduled tasks, services, registry run keys).
Phase: Coordinate (parallel)
- Legal hold: Activate immediately. Suspend all data destruction schedules for affected systems and user accounts.
- Outside counsel: Engage Beazley panel breach counsel within 1 hour.
- Cyber insurance: Notify Beazley claims within 2 hours. Do NOT engage non-panel forensics vendors.
- Law enforcement: Notify FBI field office if criminal prosecution is desired. Do NOT pay ransom without OFAC sanctions screening (risk of payment to designated entity/jurisdiction).
- Do NOT pay ransom without: (1) confirmation that payment would not violate OFAC sanctions, (2) legal counsel approval, (3) insurance carrier consultation, (4) assessment of data recovery alternatives.
Phase: Eradicate and Recover
- Identify and remove persistence mechanisms on all affected and laterally-connected systems
- Patch the exploited vulnerability or close the initial access vector
- Rotate ALL credentials in the environment (not just affected accounts)
- Restore from known-good backups — verify backup integrity before restoration (ransomware may have corrupted backups during dwell time)
- Rebuild systems from gold images where backup integrity cannot be confirmed
- Enhanced monitoring for 30 days post-recovery: watch for re-encryption, beacon activity, or new persistence
Phase: Post-Incident
- Lessons learned meeting within 2 weeks
- Root cause analysis documenting: initial access, dwell time, detection gap, containment effectiveness
- Update this playbook with new IOCs and detection rules
- Report MTTD and MTTR metrics to CISO and Board
Built-in Validation
The skill includes two validation tools: a completeness checker that validates the IRP against NIST phases and sector requirements, and a breach notification mapper that generates state-by-state notification timelines. The agent runs both automatically and surfaces gaps inline.
IRP Completeness Checker
| Check Category | What It Validates | Severity |
|---|---|---|
| Organization profile | Sectors, states, data types documented | ERROR if missing |
| IR team | Team composition with roles, contacts, alternates | ERROR if missing |
| Incident classification | Category taxonomy and severity levels defined | ERROR if missing |
| NIST Prepare | Team, training, tools, contact lists, communication templates | ERROR if missing |
| NIST Detect | Monitoring sources, alert triage, initial classification | ERROR if missing |
| NIST Analyze | Scope determination, severity classification, timeline documentation | ERROR if missing |
| NIST Contain | Isolation, credential lockout, evidence preservation before containment | ERROR if missing |
| NIST Eradicate/Recover | Root cause removal, credential rotation, backup restoration, re-infection monitoring | ERROR if missing |
| NIST Post-Incident | Lessons learned, RCA, plan updates, metrics | ERROR if missing |
| Playbooks | Ransomware, BEC, data exfiltration (required, not optional) | ERROR if missing |
| Evidence preservation | Chain of custody, imaging, log retention (PCI: 365 days; DFARS: 90 days) | ERROR if missing |
| Legal hold | Trigger criteria, notice recipients, data preservation scope | WARNING if missing |
| Escalation | Internal escalation tree, external communication procedures | ERROR if missing |
| State notifications | State breach notification matrix for all operating states | ERROR if states listed but matrix missing |
| HIPAA | Breach notification rule (60-day individual + HHS) | ERROR if healthcare sector |
| PCI DSS v4.0 | Forensic investigation, acquirer notification, 365-day evidence retention | ERROR if retail/payment sector |
| NERC CIP-008-6 | E-ISAC 1-hour reporting | ERROR if energy sector |
| GLBA/FTC | 30-day FTC notification for unencrypted data | WARNING if financial sector |
| NYDFS | 72-hour DFS notification | WARNING if financial sector |
| SEC Reg S-P | 30-day individual notification (eff. Jan 2025) | WARNING if financial sector |
| CMMC/DFARS | DIBNet 72-hour reporting, 90-day image preservation | WARNING if defense sector |
| CIRCIA | 72-hour incident / 24-hour ransomware payment reporting | WARNING if energy sector |
Breach Notification Mapper
Covers all 50 US states plus DC with:
- Notification deadline (outer statutory limit for individual notification)
- AG notification requirement (required / not required, with resident thresholds)
- Special provisions (encryption safe-harbors, private rights of action, expanded PI definitions)
States with the strictest timelines (30 days): Colorado, DC, Florida, Maine, New Jersey, North Carolina, Utah, Washington, Wyoming.
Severity levels
- ERROR — A required IRP element is missing. The plan would fail a tabletop exercise, regulatory audit, or cyber insurance underwriting review.
- WARNING — A recommended element or sector-specific check that should be addressed based on the organization’s profile.
Example validation output
========================================================================
Cybersecurity IRP — Completeness Check (NIST SP 800-61r3, 2024)
========================================================================
--- Errors (must fix) ---
[ERROR] Missing detection playbooks. Playbooks for ransomware,
Business Email Compromise (BEC), and data exfiltration are required
per NIST SP 800-61r3 Prepare phase and cyber insurance underwriting
standards.
[ERROR] Missing evidence preservation and chain of custody procedures.
Required for law enforcement referral, regulatory defense, and
CIRCIA forensic data requests. Note PCI DSS: 365-day retention;
DFARS: 90-day image preservation.
[ERROR] Healthcare/HIPAA sector: HIPAA Breach Notification Rule
requirements not addressed (individual notification ≤60 days from
discovery; HHS notification ≤60 days for 500+ individuals).
--- Warnings (recommended) ---
[WARNING] Missing legal hold procedures. Legal hold activation
(suspend data destruction, notify custodians) must be a Day 1
action on any confirmed incident involving potential litigation
or regulatory enforcement.
[WARNING] Financial services sector: verify NYDFS 23 NYCRR 500 is
addressed if the organization is licensed/registered with DFS
(72-hour notification to DFS).
========================================================================
The agent runs both tools automatically — the completeness checker after building the IRP structure, and the breach notification mapper when states of operation are identified — so you always know what gaps remain before the plan is finalized.