Incident Response Plan Template for Houston Businesses: Build Yours in One Day

April 12, 2026
15 min read
8 sections
Cyber SecurityIT Services
Ensuring Business Continuity with Effective Disaster Recovery Plans
01

Introduction

When a cyberattack hits your Houston business at 2 AM on a Saturday, you will not have time to figure out what to do. The decisions you make in the first 60 minutes — who to call, what to shut down, who communicates to clients, whether to pay a ransom, when to notify regulators — determine whether the incident costs you $50,000 or $5,000,000.

An incident response plan (IRP) is the document that answers these questions before the crisis starts. This template gives you a framework you can customize for your organization in a single day. It's not theoretical — it's built from the plans we've developed and tested with Houston businesses across healthcare, energy, manufacturing, legal, and financial services.

02

Section 1: Incident Response Team & Roles

Define who does what during an incident. Every role needs a primary and a backup contact.

RoleResponsibilityPrimaryBackup
Incident CommanderOverall decision authority. Authorizes containment, coordinates teams, approves communications.[Name, Cell][Name, Cell]
Technical LeadLeads investigation and containment. Directs IT/MSP actions.[Name, Cell][Name, Cell]
Communications LeadManages internal and external communications. Drafts client notifications.[Name, Cell][Name, Cell]
Legal CounselAdvises on regulatory notification, evidence preservation, liability.[Firm, Phone][Alt Contact]
MSP/IR Firm ContactExternal technical support. 24/7 emergency line.[MSP Emergency #][IR Firm #]
Insurance CarrierCyber insurance claims line. Required for ransom pre-authorization.[Carrier Claims #][Broker Cell]

Critical: Print this contact list and store a physical copy in a secure location (office safe, incident commander's home). During a ransomware attack, your email, Teams, and shared drives may be inaccessible — digital-only contact lists are useless when you need them most.

03

Section 2: Incident Classification

Not every alert is a full incident. Define severity levels so your team responds proportionally:

SeverityDefinitionResponseExamples
SEV 1 — CriticalActive attack, data exfiltration confirmed, ransomware deployed, or safety riskFull IRP activation. All hands. Incident Commander notified immediately.Ransomware encryption in progress, confirmed data breach, BEC wire transfer executed
SEV 2 — HighConfirmed compromise but limited scope, or threat indicator requiring urgent investigationTechnical Lead + MSP engaged. Incident Commander notified within 1 hour.Single compromised account, malware on one endpoint (contained), suspicious admin activity
SEV 3 — MediumSuspicious activity requiring investigation but no confirmed compromiseTechnical Lead investigates. Escalate to SEV 2 if confirmed.Phishing email reported, unusual login location, failed MFA attempts
04

Section 3: Containment Procedures

Ransomware Containment (SEV 1)

  1. Isolate affected systems immediately — disconnect from network (pull Ethernet, disable WiFi). Do NOT power off (preserves volatile memory for forensics).
  2. Disable compromised accounts in Active Directory and Entra ID. Revoke all sessions.
  3. Block lateral movement — isolate affected network segments at the switch/firewall level.
  4. Preserve evidence — do not reimage or wipe until forensic imaging is complete.
  5. Contact MSP/IR firm using the emergency number. Do not attempt DIY forensics.
  6. Contact cyber insurance carrier — most policies require notification within 24-72 hours and pre-authorization before ransom payment.

BEC/Wire Fraud Containment (SEV 1)

  1. Contact your bank immediately — request wire recall. First 24 hours are critical.
  2. File IC3 complaint at ic3.gov — FBI's Recovery Asset Team has recovered hundreds of millions.
  3. Reset compromised email account — password, MFA, and revoke all sessions.
  4. Check inbox rules — remove any forwarding rules, delete rules, or folder-move rules the attacker created.
  5. Notify affected parties — clients or vendors whose data may have been exposed through the compromised inbox.
05

Section 4: Communication Templates

Internal Communication (All-Staff)

"We are investigating a security incident affecting [specific systems]. [Specific instructions — do not open email / do not log in / work from personal devices]. Updates will be provided every [2 hours / end of day]. Direct questions to [Communications Lead name and phone]."

Client Communication

"We are aware of a security incident affecting our systems. We have engaged cybersecurity experts and are working to resolve the situation. Your data [is / may be] affected. We will provide a detailed update within [24/48 hours] with specific information about any impact to your account."

06

Section 5: Regulatory Notification Timelines

RegulationNotification DeadlineWho to Notify
HIPAA60 days from discoveryHHS, affected individuals, media (if 500+ individuals)
PCI-DSS24 hours (card brands), varies (individuals)Card brands (Visa, MC), acquiring bank
Texas Data Breach LawWithout unreasonable delay (60 days)Affected TX residents, TX Attorney General (if 250+)
SEC (public companies)4 business days (material incidents)SEC via Form 8-K
ITARImmediately upon discoveryDDTC (State Department)
07

Section 6: Post-Incident Review

Within 2 weeks of incident closure, conduct a post-incident review:

  • What happened? (root cause, attack vector, timeline)
  • What worked in our response? (keep doing)
  • What didn't work? (fix before next incident)
  • What controls would have prevented this?
  • Update the IRP based on lessons learned
  • Schedule remediation for identified gaps
08

Test Your Plan Before You Need It

A plan that hasn't been tested will fail under pressure. Run a tabletop exercise quarterly — gather your IR team, present a scenario ("It's 7 AM Monday and your controller just reported a $180,000 wire transfer to an unknown account"), and walk through every decision. You'll find gaps in the plan every time.

Need help building or testing your IR plan? LayerLogix develops incident response plans for Houston businesses and conducts tabletop exercises against realistic scenarios. Call 713-571-2390.

Related: Incident Response Services | Threat Remediation | Business Continuity Plan Guide | Cyber Insurance Guide

Related Services

Need Help With Cybersecurity?

LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.

Cybersecurity ServicesComprehensive cybersecurity protection for your business.
Ransomware ProtectionDefend against ransomware attacks with proactive security.
Security AssessmentsIdentify vulnerabilities before attackers do.
Zero Trust SecurityModern zero trust architecture for your organization.
Serving Houston, The Woodlands, and nationwideGet a Free Consultation
Back to Blog
Keep Reading

Related Articles

Identity Access Management for Multi-Location Texas Companies

Privileged Access Management (PAM): Why Your Admin Accounts Are Your Biggest Security Risk

Read More
24/7 IT Monitoring: How Proactive Support Prevents Costly Downtime

The Complete Security Audit Checklist for Houston Businesses in 2026

Read More
Secure Email Gateways (SEG) 101: You Must Know This in 2023

Email Security for Houston Businesses: The Complete Protection Guide for 2026

Read More

Need Expert IT Support?

Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.

Get in TouchView Services