• Specifically, Responsive intends for this IRP to:
  • Define Responsive’ cyber incident response process and provide step-by-step guidelines for establishing a timely, consistent, and repeatable incident response process.
  • Assist Responsive and any applicable third parties in quickly and efficiently responding to and recovering from different levels of information security incidents.
  • Mitigate or minimize the effects of any information security incident on Responsive, clients, employees, or others.
  • Help Responsive consistently document the actions it takes in response to information security incidents.
  • Reduce overall risk exposure for Responsive.
  • Engage stakeholders and drive appropriate participation in resolving information security incidents while fostering continuous improvement in Responsive’ information security program and incident response process.
• Responsive developed and maintains this IRP as may be required by applicable laws and regulations.

This IRP applies to all Responsive business groups, divisions, and subsidiaries; their employees, contractors, officers, and directors; and Responsive’ IT systems, network, data, and any computer systems or networks connected to Responsive’ network.

• Other Plans and Policies
  Responsive may, from time to time, approve and make available more detailed or location or work group-specific plans, policies, procedures, standards, or processes to address specific information security issues or incident response procedures. Those additional plans, policies, procedures, standards, and processes are extensions to this IRP. You may find approved information security policies and other resources here.

Responsive has designated Managing Director/Jaclyn Hawtin to implement and maintain this IRP (the “information security coordinator”).

• Information Security Coordinator Duties
  Among other information security duties, as defined in Responsive’ written information security program (“WISP”) available here, the information security coordinator shall be responsible for:
  • Implementing this IRP.
  • Identifying the incident response team (“IRT”) and any appropriate sub-teams to address specific information security incidents, or categories of information security incidents (see Section 5, Incident Response Team).
  • Coordinating IRT activities, including developing, maintaining, and following appropriate procedures to respond to and document identified information security incidents (see Section 6, Incident Response Procedures).
  • Conducting post-incident reviews to gather feedback on information security incident response procedures and address any identified gaps in security measures (see Section 6.7, Post-Incident Review).
  • Providing training and conducting periodic exercises to promote employee and stakeholder preparedness and awareness of this IRP (see Section 7, Plan Training and Testing).
  • Reviewing this IRP at least annually, or whenever there is a material change in Responsive’ business practices that may reasonably affect its cyber incident response procedures (see Section 8, Plan Review).
• Enforcement
  Violations of or actions contrary to this IRP may result in disciplinary action, in accordance with Responsive’ information security policies and procedures and human resources policies.

The terms defined below apply throughout this IRP:

• Confidential Information
  Confidential information means information, as defined in Responsive’ WISP available at WISP, that may cause harm to Responsive or its clients, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available.
• Personal Information
  Personal information means individually identifiable information, as defined in Responsive’ WISP available at WISP, that Responsive’ owns, licenses, or maintains and that is from or about an individual including, but not limited to
  • first and last name;
  • home or other physical address, including street name and name of city or town;
  • email address or other online information, such as a user name and password;
  • telephone number;
  • government-issued identification or other number;
  • financial or payment card account number;
  • date of birth;
  • health information, including information [regarding the individual’s medical history or mental or physical condition, or medical treatment or diagnosis by a health care professional/created or received by Responsive; and
  • any information that is combined with any of (a) through (h) above.
• Information Security Incident
  Information security incident means an actual or reasonably suspected
  • loss or theft of confidential or personal information;
  • unauthorized use, disclosure, acquisition of or access to, or other unauthorized processing of confidential or personal information that reasonably may compromise the privacy or confidentiality, integrity, or availability of confidential or personal information; or
  • unauthorized access to or use of, inability to access, loss or theft of, or malicious infection of Responsive’ IT systems or third party systems that reasonably may compromise the privacy or confidentiality, integrity, or availability of confidential or personal information or Responsive’ operating environment or services.

• Role
  The IRT provides timely, organized, informed, and effective response to information security incidents to:
  • avoid loss of or damage to Responsive’ IT systems, network, and data;
  • minimize economic, reputational, or other harms to Responsive and its clients, employees, and partners; and
  • manage litigation, enforcement, and other risks.
• Authority
  Through this IRP, Responsive authorizes the IRT to take reasonable and appropriate steps necessary to mitigate and resolve information security incidents, in accordance with the escalation and notification procedures defined in this IRP.
• Responsibilities
  The IRT is responsible for:
  • Addressing information security incidents in a timely manner, according to this IRP.
  • Managing internal and external communications regarding information security incidents.
  • Reporting its findings to management and to applicable authorities, as appropriate.
  • Reprioritizing other work responsibilities to permit a timely response to information security incidents on notification.
• IRT Roster
  The IRT consists of a core team, led by the information security coordinator, with representatives from key Responsive groups and stakeholders. The current IRT roster includes the following individuals:
  Managing Partner, Jaclyn Hawtin, jaclyn at digitaldames.io.
  • Sub-Teams and Additional Resources
    The information security coordinator assigns and coordinates the IRT for any specific information security incident according to incident characteristics and Responsive needs. The information security coordinator may:
    • Identify and maintain IRT sub-teams to address specific information security incidents, or categories of information security incidents.
    • Call on external individuals, including vendor, service provider, or other resources, to participate on specific-event IRTs, as necessary.

Responsive shall develop, maintain, and follow incident response procedures as defined in this Section 6 to respond to and document identified information security incidents.
Responsive recognizes that following initial escalation, the information security incident response process is often iterative, and the steps defined in Sections 6.3, Investigation and Analysis; 6.4, Containment, Remediation, and Recovery; 6.5, Evidence Preservation; and 6.6, Communications and Notification may overlap or the IRT may revisit prior steps to respond appropriately to a specific information security incident.
Responsive may, from time to time, approve and make available more specific procedures for certain types of information security incidents. Those additional procedures and checklists are extensions to this IRP. You may find approved information security policies and other resources at WISP.

• Detection and Discovery
  Responsive shall develop, implement, and maintain procedures to detect, discover, and assess potential information security incidents through automated means and individual reports.
  • Automated Detection
    Responsive shall develop, implement, and maintain automated detection means and other technical safeguards, as described in Responsive’ WISP available at WISP.
  • Reports from Employees or Other Internal Sources
    Employees, or others authorized to access Responsive’ IT systems, network, or data, shall immediately report any actual or suspected information security incident to Jaclyn Hawtin. Individuals should report any information security incident they discover or suspect immediately and must not engage in their own investigation or other activities unless authorized.
  • Reports from External Sources
    External sources who claim to have information regarding an actual or alleged information security incident should be directed to Jaclyn Hawtin. Employees who receive emails or other communications from external sources regarding information security incidents that may affect Responsive or others, security vulnerabilities, or related issues shall immediately report those communications to Jaclyn Hawtin and shall not interact with the source unless authorized.
  • Assessing Potential Incidents
    Responsive shall assign resources and adopt procedures to timely assess automated detection results, screen internal and external reports, and identify actual information security events. Responsive shall document each identified information security incident.
• Escalation
  Following identification of an information security incident, the information security coordinator, or a designate, shall perform an initial risk-based assessment and determine the level of response required based on the incident’s characteristics, including affected systems and data, and potential risks and impact to Responsive and its clients, employees, or others.
  Based on the initial assessment, the information security coordinator, or a designate, shall:
  • IRT Activation
    Notify and activate the IRT, or a sub-team, including any necessary external resources (see Section 5.4, IRT Roster).
  • IRT Expectations
    Set expectations for IRT member replay and engagement.
  • Initial Notifications
    Notify (if necessary) organizational leadership and any applicable business partners or service providers, Responsive’ cyber insurance carrier, and law enforcement or other authorities (see Section 6.6, Communications and Notifications).
• Investigation and Analysis
  On activation, the IRT shall collaborate to investigate each identified information security incident, analyze its affects, and formulate an appropriate response plan to contain, remediate, and recover from the incident.
  The IRT shall document its investigation and analysis for each identified information security incident.
• Containment, Remediation, and Recovery
  Next, the IRT shall direct execution of the response plan it formulates according to its incident investigation and analysis to contain, remediate, and recover from each identified information security incident, using appropriate internal and external resources (see Section 6.3, Investigation and Analysis).
  The IRT shall document its response plans and the activities completed for each identified information security incident.
• Evidence Preservation
  The IRT shall direct appropriate internal or external resources to capture and preserve evidence related to each identified information security incident during investigation, analysis, and response activities (see Sections 6.3, Investigation and Analysis and 6.4, Containment, Remediation, and Recovery). The IRT shall seek counsel’s advice, as needed, to establish appropriate evidence handling and preservation procedures and reasonably identify and protect evidence for specific information security incidents.
• Communications and Notifications
  For each identified information security incident, the IRT shall determine and direct appropriate internal and external communications and any required notifications. Only the IRT may authorize information security incident-related communications or notifications. The IRT shall seek counsel’s advice, as needed, to review communications and notifications targets, content, and protocols.
  • Internal Communications
    The IRT shall prepare and distribute any internal communications it deems appropriate to the characteristics and circumstances of each identified information security incident.
    • Organizational Leadership
      The IRT shall alert organizational leadership to the incident and explain its potential impact on Responsive, its [customers/clients], employees, and others as details become available.
    • General Awareness and Resources
      As appropriate, the IRT shall explain the incident to Responsive’ employees and other stakeholders and provide them with resources to appropriately direct questions from clients, media, or others.
  • External Communications
    The IRT shall prepare and distribute any external communications it deems appropriate to the characteristics and circumstances of each identified information security incident.
    • Public Statements
      If Responsive determines that external statements are necessary, the IRT shall provide consistent, reliable information to the media and public regarding the incident using Responsive’ website, press releases, or other means.
    • Law Enforcement
      The IRT shall report criminal activity or threats to applicable authorities, as Responsive deems appropriate.
  • Notifications
    While the IRT may choose to authorize discretionary communications, certain laws, regulations, and contractual commitments may require Responsive to notify various parties of some information security incidents. If applicable to a specific information security incident, as required, the IRT shall:
    • Authorities
      Notify applicable regulators, law enforcement, or other authorities.
    • Affected Individuals
      If an applicable breach of personal information occurs, prepare and distribute notifications to affected individuals.
    • Cyber Insurance Carrier
      Notify Responsive’ cyber insurance carrier according to the terms and conditions of its current policy, including filing a claim, if appropriate.
    • Others
      Notify clients or business partners according to current agreements.
• Post-Incident Review
  At a time reasonably within 10 days each identified information security incident, the information security coordinator, or a designate, shall reconvene the IRT, others who participated in response to the incident, and affected work group representatives, as appropriate, as a post-incident review team to assess the incident and Responsive’ response.
  • Review Considerations
    The post-incident review team shall consider Responsive’ effectiveness in detecting and responding to the incident and identify any gaps or opportunities for improvement. The post-incident review team shall also seek to identify one or more root causes for the incident and, according to risk, shall recommend appropriate actions to minimize the risks of recurrence.
  • Report
    The post-incident review team shall document its findings in a sufficiently detailed report.
  • Follow-Up Actions
    The information security coordinator shall monitor and coordinate completion of any follow-up actions identified by the post-incident review team, including communicating its recommendations to and seeking necessary authorization or support from Responsive leadership.

• Training
  The information security coordinator shall develop, maintain, and deliver training regarding this IRP that periodically:
  • Informs all employees, and others who have access to Responsive’ IT systems, network, or data, about the IRP and how to recognize and report potential information security incidents.
  • Educates IRT members on their duties and expectations for responding to information security incidents.
    The information security coordinator may choose to include training on this IRP in other information security training activities, as defined in Responsive’ WISP available at WISP.
• Testing
  The information security coordinator shall monitor and coordinate completion of any follow-up actions identified by the post-incident review team, including communicating its recommendations to and seeking necessary authorization or support from Responsive leadership.

• Revision History.
  • Original publication: 10/16/23.
  • NOTE SUBSEQUENT REVISIONS.