Incident Response Plan Template for Houston Businesses: Build Yours in One Day
░
█
░ ▄ ■
▄▀■
■
01
░
█
░ ▄ ■
▄▀■
■
01
Introduction
When a cyberattack hits your Houston business at 2 AM on a Saturday, you will not have time to figure out what to do. The decisions you make in the first 60 minutes — who to call, what to shut down, who communicates to clients, whether to pay a ransom, when to notify regulators — determine whether the incident costs you $50,000 or $5,000,000.
An incident response plan (IRP) is the document that answers these questions before the crisis starts. This template gives you a framework you can customize for your organization in a single day. It's not theoretical — it's built from the plans we've developed and tested with Houston businesses across healthcare, energy, manufacturing, legal, and financial services.
02
█
▄
█ ▀ □
▀■□
□
02
Section 1: Incident Response Team & Roles
Define who does what during an incident. Every role needs a primary and a backup contact.
| Role | Responsibility | Primary | Backup |
|---|---|---|---|
| Incident Commander | Overall decision authority. Authorizes containment, coordinates teams, approves communications. | [Name, Cell] | [Name, Cell] |
| Technical Lead | Leads investigation and containment. Directs IT/MSP actions. | [Name, Cell] | [Name, Cell] |
| Communications Lead | Manages internal and external communications. Drafts client notifications. | [Name, Cell] | [Name, Cell] |
| Legal Counsel | Advises on regulatory notification, evidence preservation, liability. | [Firm, Phone] | [Alt Contact] |
| MSP/IR Firm Contact | External technical support. 24/7 emergency line. | [MSP Emergency #] | [IR Firm #] |
| Insurance Carrier | Cyber insurance claims line. Required for ransom pre-authorization. | [Carrier Claims #] | [Broker Cell] |
Critical: Print this contact list and store a physical copy in a secure location (office safe, incident commander's home). During a ransomware attack, your email, Teams, and shared drives may be inaccessible — digital-only contact lists are useless when you need them most.
03
▄
▀
▄ ■ ▪
■□▪
▪
03
Section 2: Incident Classification
Not every alert is a full incident. Define severity levels so your team responds proportionally:
| Severity | Definition | Response | Examples |
|---|---|---|---|
| SEV 1 — Critical | Active attack, data exfiltration confirmed, ransomware deployed, or safety risk | Full IRP activation. All hands. Incident Commander notified immediately. | Ransomware encryption in progress, confirmed data breach, BEC wire transfer executed |
| SEV 2 — High | Confirmed compromise but limited scope, or threat indicator requiring urgent investigation | Technical Lead + MSP engaged. Incident Commander notified within 1 hour. | Single compromised account, malware on one endpoint (contained), suspicious admin activity |
| SEV 3 — Medium | Suspicious activity requiring investigation but no confirmed compromise | Technical Lead investigates. Escalate to SEV 2 if confirmed. | Phishing email reported, unusual login location, failed MFA attempts |
04
▀
■
▀ □ ▫
□▪▫
▫
04
Section 3: Containment Procedures
Ransomware Containment (SEV 1)
- Isolate affected systems immediately — disconnect from network (pull Ethernet, disable WiFi). Do NOT power off (preserves volatile memory for forensics).
- Disable compromised accounts in Active Directory and Entra ID. Revoke all sessions.
- Block lateral movement — isolate affected network segments at the switch/firewall level.
- Preserve evidence — do not reimage or wipe until forensic imaging is complete.
- Contact MSP/IR firm using the emergency number. Do not attempt DIY forensics.
- Contact cyber insurance carrier — most policies require notification within 24-72 hours and pre-authorization before ransom payment.
BEC/Wire Fraud Containment (SEV 1)
- Contact your bank immediately — request wire recall. First 24 hours are critical.
- File IC3 complaint at ic3.gov — FBI's Recovery Asset Team has recovered hundreds of millions.
- Reset compromised email account — password, MFA, and revoke all sessions.
- Check inbox rules — remove any forwarding rules, delete rules, or folder-move rules the attacker created.
- Notify affected parties — clients or vendors whose data may have been exposed through the compromised inbox.
05
■
□
■ ▪ ◆
▪▫◆
◆
05
Section 4: Communication Templates
Internal Communication (All-Staff)
"We are investigating a security incident affecting [specific systems]. [Specific instructions — do not open email / do not log in / work from personal devices]. Updates will be provided every [2 hours / end of day]. Direct questions to [Communications Lead name and phone]."
Client Communication
"We are aware of a security incident affecting our systems. We have engaged cybersecurity experts and are working to resolve the situation. Your data [is / may be] affected. We will provide a detailed update within [24/48 hours] with specific information about any impact to your account."
06
□
▪
□ ▫ ◇
▫◆◇
◇
06
Section 5: Regulatory Notification Timelines
| Regulation | Notification Deadline | Who to Notify |
|---|---|---|
| HIPAA | 60 days from discovery | HHS, affected individuals, media (if 500+ individuals) |
| PCI-DSS | 24 hours (card brands), varies (individuals) | Card brands (Visa, MC), acquiring bank |
| Texas Data Breach Law | Without unreasonable delay (60 days) | Affected TX residents, TX Attorney General (if 250+) |
| SEC (public companies) | 4 business days (material incidents) | SEC via Form 8-K |
| ITAR | Immediately upon discovery | DDTC (State Department) |
07
▪
▫
▪ ◆ ●
◆◇●
●
07
Section 6: Post-Incident Review
Within 2 weeks of incident closure, conduct a post-incident review:
- What happened? (root cause, attack vector, timeline)
- What worked in our response? (keep doing)
- What didn't work? (fix before next incident)
- What controls would have prevented this?
- Update the IRP based on lessons learned
- Schedule remediation for identified gaps
08
◆
◇
◆ ● ▓
●○▓
▓
08
Test Your Plan Before You Need It
A plan that hasn't been tested will fail under pressure. Run a tabletop exercise quarterly — gather your IR team, present a scenario ("It's 7 AM Monday and your controller just reported a $180,000 wire transfer to an unknown account"), and walk through every decision. You'll find gaps in the plan every time.
Need help building or testing your IR plan? LayerLogix develops incident response plans for Houston businesses and conducts tabletop exercises against realistic scenarios. Call 713-571-2390.
Related: Incident Response Services | Threat Remediation | Business Continuity Plan Guide | Cyber Insurance Guide
Related Services
Need Help With Cybersecurity?
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Cybersecurity ServicesComprehensive cybersecurity protection for your business.
Ransomware ProtectionDefend against ransomware attacks with proactive security.
Security AssessmentsIdentify vulnerabilities before attackers do.
Zero Trust SecurityModern zero trust architecture for your organization.
Serving Houston, The Woodlands, and nationwideGet a Free Consultation
Keep Reading
Related Articles
Need Expert IT Support?
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.