Incident Response Plan
Document 13 of the Board Governance Binder
← Governance Binder › Technology & Data Governance
Incident Response Plan
Required per Data Governance & Cybersecurity Policy, Section VI, and referenced in Bylaws, Article XI, Section 6. This plan establishes the Corporation’s procedures for detecting, responding to, and recovering from data breaches and cybersecurity incidents affecting PROVENIQ Foundation systems and the Pet Command ecosystem platforms.
I. Scope
This plan covers all data and systems operated by the Corporation, including MAYDAY, ShelterOS, LifeLog, VetOS, Guardians, ACO-Mobile, SYSOP, the Foundation website, internal administrative systems, and any third-party services processing Corporation data.
II. Incident Classification
| SEVERITY | DEFINITION AND EXAMPLES |
|---|---|
| CRITICAL | Confirmed breach of restricted data (veterinary medical records, PII, user credentials, geolocation data from MAYDAY). Ransomware or destructive malware. Compromise of Ledger or Pet-Command-Bridge. Any incident requiring legal notification. |
| HIGH | Unauthorized access to confidential data (donor records, financial data, Board deliberations). Compromise of administrative accounts. Sustained denial of service. |
| MEDIUM | Unauthorized access attempt detected and blocked. Malware contained before exfiltration. Accidental exposure of internal data with limited scope. |
| LOW | Policy violation with no data exposure. Phishing attempt reported and contained. Minor configuration error corrected. |
III. Incident Response Team
| ROLE | RESPONSIBILITY |
|---|---|
| Incident Commander (CEO) | Leads response. Makes final decisions on containment, notification, and escalation. |
| Technical Lead | Leads detection, containment, eradication, and recovery. Preserves forensic evidence. |
| Board Chair | Receives notification within 24 hours of confirmed material breach. Convenes emergency Board session if warranted. |
| Legal Counsel | Advises on notification obligations under WV Code §46A-2A-101. Reviews external communications. |
| Treasurer / Finance Lead | Assesses financial impact. Coordinates with cyber insurance carrier. |
IV. Response Phases
Phase 1: Detection and Identification
Incidents may be detected through automated monitoring, user/staff reports, third-party notifications, law enforcement, or routine security assessments. The individual who identifies the incident shall immediately notify the CEO. The CEO shall classify severity and determine whether to activate the full response team.
Phase 2: Containment
Limit scope and impact while preserving evidence. Actions may include isolating affected systems, disabling compromised accounts, blocking malicious traffic, taking affected platforms offline if necessary, and activating backup systems. All actions documented with timestamps.
Phase 3: Eradication
Identify and remove root cause: remove malware, patch vulnerabilities, reset compromised credentials, harden configurations. Verify eradication before proceeding to recovery.
Phase 4: Recovery
Restore affected systems from verified clean backups. Return platforms to production with enhanced monitoring. Verify data integrity consistent with Canon’s append-only truth doctrine. Conduct post-recovery verification period.
Phase 5: Notification
| NOTIFICATION | TIMELINE |
|---|---|
| Board of Directors | Board Chair within 24 hours. Full Board within 48 hours. |
| Affected Individuals | Per WV Code §46A-2A-101. Without unreasonable delay. |
| WV Attorney General | If breach affects 250+ WV residents. |
| Law Enforcement | If criminal activity suspected. Coordinate with legal counsel. |
| Third-Party Partners | Within 48 hours if partner data affected. |
| Cyber Insurance Carrier | Per policy terms, typically 24—72 hours. |
| Platform Users | Through affected platforms and email within 72 hours of confirmation. |
Phase 6: Post-Incident Review
Within 30 days of resolution: document timeline and attack vector, assess response effectiveness, identify security gaps, recommend improvements, update this plan. Present to Board or Finance/Risk Committee. Retain records 7 years.
V. Pet Command Canon Compliance
- Append-only truth: Response must not destroy historical data in Ledger. Corrections recorded as AMENDMENT, CORRECTION, or VOID events.
- Dual-time doctrine: All response actions preserve occurredAt / ingestedAt timestamps.
- Trace lineage: All actions carry correlationId and causationId.
- Bridge routing: No response action may bypass Pet-Command-Bridge for canonical reads or writes.
- Transport is not truth: If external providers are compromised, Ledger records remain authoritative.
VI. Annual Review and Testing
Reviewed annually by CEO and Finance, Audit & Risk Committee. At least one tabletop exercise per year simulating a data breach scenario.