Incident Response Plan
Last Updated: February 23, 2026
This Incident Response Plan outlines PlanXpress's procedures for detecting, responding to, and recovering from security incidents and data breaches.
1. Purpose and Scope
The purpose of this Incident Response Plan is to:
- Establish clear procedures for identifying and responding to security incidents
- Minimize the impact of security incidents on customer data and service availability
- Ensure compliance with legal and regulatory requirements, including GDPR breach notification within 72 hours
- Enable rapid containment, investigation, and remediation of security threats
- Facilitate post-incident learning and continuous improvement
2. Incident Response Team
PlanXpress maintains a dedicated Incident Response Team with the following roles:
- Incident Response Coordinator: Overall incident management, coordination, and decision-making authority
- Technical Lead: Technical investigation, forensics, and remediation
- Security Analyst: Threat analysis, vulnerability assessment, and security monitoring
- Communications Lead: Internal and external communications, customer notifications
- Legal Counsel: Legal compliance, regulatory notification, and liability assessment
- Executive Sponsor: Final decision authority for major incidents and business impact decisions
3. Incident Classification
Security incidents are classified by severity to determine response priorities and timelines:
3.1 Severity Levels
CRITICAL (Severity 1)
- Confirmed data breach with customer data exposure
- Complete service outage affecting all customers
- Active ransomware or malware infection
- Unauthorized access to production systems
- Loss of data encryption or security controls
Response Time: Immediate (within 15 minutes)
Notification: Customer notification within 72 hours
HIGH (Severity 2)
- Suspected data breach requiring investigation
- Partial service outage affecting multiple customers
- Successful phishing or social engineering attack
- Denial of service attack impacting availability
- Unauthorized access attempt (blocked)
Response Time: Within 1 hour
Notification: Customer notification if data exposure confirmed
MEDIUM (Severity 3)
- Vulnerability discovered in production system
- Security configuration error detected
- Minor service degradation
- Failed security scan or audit finding
Response Time: Within 4 hours
Notification: Internal only, customer notification if warranted
LOW (Severity 4)
- Security alert requiring investigation
- Policy violation
- Low-risk vulnerability in non-production environment
Response Time: Within 24 hours
Notification: Internal only
4. Incident Response Phases
Phase 1: Detection and Identification
Objective: Identify and confirm security incidents as quickly as possible.
Detection Methods:
- Automated security monitoring and alerting systems
- OWASP ZAP weekly vulnerability scans
- Weekly npm audit dependency vulnerability checks
- Log analysis and anomaly detection
- Customer reports or complaints
- Third-party security researcher disclosure
- Employee observation or reporting
Initial Actions:
- Log the incident with timestamp and initial details
- Assign preliminary severity classification
- Alert the Incident Response Team
- Begin preserving evidence (logs, network captures, system snapshots)
- Initiate incident response procedures based on severity
Phase 2: Containment
Objective: Limit the scope and impact of the incident.
Short-term Containment (Immediate):
- Isolate affected systems or accounts
- Block malicious IP addresses or traffic
- Disable compromised user accounts
- Apply emergency patches or configuration changes
- Enable additional monitoring on affected systems
- Preserve forensic evidence before making changes
Long-term Containment (Within 24 hours):
- Deploy more robust security controls
- Implement compensating controls if patches unavailable
- Segment affected systems from production environment
- Rotate credentials and encryption keys
- Prepare systems for recovery phase
Containment Timeline Targets:
- Critical incidents: Containment within 1 hour
- High severity incidents: Containment within 4 hours
- Medium severity incidents: Containment within 24 hours
Phase 3: Investigation and Analysis
Objective: Determine root cause, scope of impact, and data exposure.
Investigation Activities:
- Forensic analysis of affected systems
- Log review and timeline reconstruction
- Identification of attack vectors and entry points
- Assessment of data accessed or exfiltrated
- Determination of affected customers and data subjects
- Documentation of findings and evidence chain
Key Questions to Answer:
- What happened? (Nature of the incident)
- When did it happen? (Timeline of events)
- How did it happen? (Attack vector and vulnerabilities exploited)
- Who was affected? (Customers, data subjects, systems)
- What data was accessed or exposed? (Types and volume of data)
- Is the incident ongoing or contained?
Phase 4: Eradication
Objective: Remove the threat and eliminate vulnerabilities.
Eradication Activities:
- Remove malware, backdoors, or unauthorized access
- Patch vulnerabilities that enabled the incident
- Close attack vectors and security gaps
- Update security configurations
- Reset credentials and revoke compromised tokens
- Verify complete removal of threat
Phase 5: Recovery
Objective: Restore systems to normal operation and verify security.
Recovery Activities:
- Restore systems from clean backups if necessary
- Gradually return affected systems to production
- Implement enhanced monitoring during recovery
- Verify system functionality and security posture
- Confirm no residual threats or vulnerabilities
- Document recovery actions and validation steps
Recovery Timeline Targets:
- Recovery Time Objective (RTO): 4 hours for critical systems
- Recovery Point Objective (RPO): Maximum 24 hours data loss
- Full service restoration: Within 24 hours of eradication completion
Phase 6: Post-Incident Review
Objective: Learn from the incident and improve security posture.
Post-Incident Activities (within 7 days):
- Conduct post-incident review meeting with Incident Response Team
- Document complete incident timeline and actions taken
- Assess effectiveness of response procedures
- Identify lessons learned and improvement opportunities
- Develop action plan to prevent similar incidents
- Update security controls, policies, or procedures as needed
- Provide training or awareness communications based on findings
- Archive incident documentation for compliance and reference
5. Notification and Communication
5.1 Internal Communication
- Incident Response Team: Immediate notification via designated communication channel
- Executive Leadership: Within 1 hour for Critical/High severity incidents
- All Staff: As appropriate based on incident impact and need-to-know
5.2 Customer Notification
For incidents involving Personal Data breach:
- Timeline: Within 72 hours of confirming data exposure (GDPR requirement)
- Method: Email notification to affected customer account administrators
- Content: See Section 6 (Notification Templates)
5.3 Regulatory Notification
- GDPR Supervisory Authority: Within 72 hours of becoming aware of breach (if applicable)
- Other Regulators: As required by jurisdiction-specific laws
- Coordination: Legal counsel coordinates all regulatory notifications
6. Notification Templates
6.1 Customer Breach Notification
Subject Line: Important Security Notification - PlanXpress Data Incident
Required Content:
- Date and nature of the incident
- Categories of Personal Data affected
- Approximate number of affected data subjects (if known)
- Likely consequences of the breach
- Measures taken to address the breach
- Measures customers should take to protect themselves
- Contact information for questions (security@planxpress.com)
- Timeline of incident and response actions
7. Escalation Procedures
7.1 Incident Escalation Triggers
Escalate to Executive Sponsor when:
- Incident reaches Critical (Severity 1) classification
- Confirmed Personal Data breach affecting customers
- Media attention or public disclosure likely
- Legal or regulatory action anticipated
- Service outage exceeds 4 hours
- Incident response requires business continuity activation
7.2 External Escalation
Engage external parties when:
- Law enforcement notification required (Criminal activity, unauthorized access)
- Third-party forensic investigation needed
- Legal counsel required (Regulatory compliance, liability assessment)
- Public relations firm needed (Media management, reputation protection)
- Insurance carrier notification (Cyber insurance claim)
8. Incident Response Tools and Resources
- Monitoring Systems: Real-time security monitoring and alerting
- Log Aggregation: Centralized logging for forensic analysis
- Forensic Tools: System imaging, memory capture, network packet analysis
- Communication Channels: Secure incident response communication platform
- Backup Systems: Automated database backups for recovery
- Documentation: Incident tracking system and response runbooks
9. Testing and Training
To maintain incident response readiness:
- Tabletop Exercises: Quarterly simulated incident response scenarios
- Technical Drills: Semi-annual technical response exercises (containment, recovery)
- Training: Annual incident response training for all team members
- Plan Updates: Annual review and update of incident response procedures
- Metrics: Track response times, containment effectiveness, and improvement trends
10. Related Documents
- Security Policy: Technical and organizational security measures
- Breach Notification Policy: Detailed breach notification procedures
- Data Processing Agreement: Customer data processing obligations
- Business Continuity Plan: Service restoration procedures
11. Contact Information
Security Incidents: security@planxpress.com
Emergency Response: Available 24/7
General Support: support@planxpress.com
Questions about incident response?
Contact us at security@planxpress.com