Sundance IR Plan SOP Generator

1. Client Profile & Emergency Contacts

Legal Business Name

Main Contact

Business Address

Main Contact Phone / Email

Cyber Insurance Carrier

Policy / Claim Contact

Emergency Contact Matrix

Role	Name	Phone	Email	Escalation Notes

2. Table of Contents

3. Purpose, Scope & Objectives

This Incident Response Plan establishes the procedures to prepare for, detect, analyze, contain, eradicate, recover from, and document cybersecurity incidents. The plan supports business continuity, disaster recovery, cyber insurance obligations, evidence preservation, and compliance reporting.

Minimize operational disruption and data loss.
Protect client, employee, and business information.
Preserve evidence and maintain chain of custody.
Coordinate internal, legal, insurance, and technical response activities.

4. Incident Severity & Escalation Matrix

Severity	Definition	Examples	Escalation
Low	Minimal impact	Blocked phishing email, isolated suspicious file	IT review
Medium	Limited business impact	Single infected workstation, credential reset event	IT Lead / Management
High	Major risk or disruption	Email compromise, confirmed malware, data exposure concern	Executive, legal, insurance as needed
Critical	Enterprise-wide or severe event	Ransomware, active breach, widespread outage	Executive response team, insurance, legal, DRP activation

5. IR Lifecycle SOP

Preparation

Maintain backups, MFA, asset inventory, admin access controls, endpoint protection, monitoring, and tested DR procedures.

Identification

Validate alerts, classify incident type, document source, preserve logs, and assign severity.

Containment

Isolate affected systems, disable accounts, revoke sessions, block indicators, and prevent lateral movement.

Eradication

Remove malware, close exploited vulnerabilities, reset credentials, rebuild systems where needed, and verify clean state.

Recovery

Restore services from clean backups, validate functionality, monitor closely, and confirm business approval.

Lessons Learned

Review root cause, response timeline, control gaps, insurance requirements, and required improvements.

6. Incident-Specific Playbooks

Business Email Compromise / Email Hack

Disable or secure the compromised account. Revoke active sessions and refresh tokens. Reset password and verify MFA. Review mailbox forwarding, inbox rules, delegates, and OAuth app consent. Review sign-in logs, message trace, suspicious IPs, and impacted recipients. Notify management, insurance, and legal as appropriate.

Ransomware / Malware

Isolate affected systems from network immediately. Preserve evidence and avoid wiping systems until approved. Disable exposed credentials and admin accounts. Validate backups are clean and protected. Engage insurance carrier and legal counsel before ransom communication.

Data Breach / Sensitive Data Exposure

Preserve logs and affected data samples securely. Determine data types, users affected, and systems involved. Coordinate legal review for notification requirements. Document timeline, scope, containment, and remediation.

Lost or Stolen Device

Lock, wipe, or disable device where available. Disable associated sessions and rotate credentials. Review encryption status and data exposure risk.

7. Communication & Notification Protocols

Communication Rule: Share confirmed facts only. Avoid speculation. Preserve privilege where legal counsel is involved.

Party	Trigger	Owner	Method	Notes

8. Evidence Handling & Chain of Custody

Evidence Item	Source	Collected By	Date/Time	Storage Location

Embedded Screenshots / Evidence Images

9. Disaster Recovery Plan Integration

The IR team shall coordinate recovery activity with the client Disaster Recovery Plan to ensure restoration priorities, RTO/RPO requirements, backup validation, and executive authorization are followed.

System / Service	Priority	RTO	RPO	Recovery Notes

10. Testing, Maintenance & Review

Review this plan annually or after any material cybersecurity incident.
Validate emergency contacts and insurance information quarterly.
Conduct tabletop exercises at least annually.
Update playbooks when systems, vendors, tools, or compliance obligations change.

Revision History

Date	Version	Owner	Change Summary

11. Approval & Sign-Off

Client Authorized Representative

Name / Title

Sundance Representative

Name / Title

Executive Approval

Name / Title

Incident Response Plan
& Standard Operating Procedures

Client Information

1. Client Profile & Emergency Contacts

Emergency Contact Matrix

2. Table of Contents

3. Purpose, Scope & Objectives

4. Incident Severity & Escalation Matrix

5. IR Lifecycle SOP

Preparation

Identification

Containment

Eradication

Recovery

Lessons Learned

6. Incident-Specific Playbooks

Business Email Compromise / Email Hack

Ransomware / Malware

Data Breach / Sensitive Data Exposure

Lost or Stolen Device

7. Communication & Notification Protocols

8. Evidence Handling & Chain of Custody

Embedded Screenshots / Evidence Images

9. Disaster Recovery Plan Integration

10. Testing, Maintenance & Review

Revision History

11. Approval & Sign-Off

Incident Response Plan& Standard Operating Procedures

Client Information

1. Client Profile & Emergency Contacts

Emergency Contact Matrix

2. Table of Contents

3. Purpose, Scope & Objectives

4. Incident Severity & Escalation Matrix

5. IR Lifecycle SOP

Preparation

Identification

Containment

Eradication

Recovery

Lessons Learned

6. Incident-Specific Playbooks

Business Email Compromise / Email Hack

Ransomware / Malware

Data Breach / Sensitive Data Exposure

Lost or Stolen Device

7. Communication & Notification Protocols

8. Evidence Handling & Chain of Custody

Embedded Screenshots / Evidence Images

9. Disaster Recovery Plan Integration

10. Testing, Maintenance & Review

Revision History

11. Approval & Sign-Off

Incident Response Plan
& Standard Operating Procedures