Appearance
NIST 800-53 Incident Response Policy (IR)
Document ID: PLCY-NIST-IR-001
Version: 1.0
Effective Date: December 30, 2025
Last Review: December 30, 2025
Owner: Hop And Haul Team
CONFIDENTIAL
This document is CONFIDENTIAL and for internal use only. Do not distribute outside the organization.
1. Purpose
This document defines Hop And Haul' implementation of the NIST 800-53 Incident Response (IR) family for FedRAMP Moderate authorization. It establishes procedures for detecting, responding to, and recovering from security incidents while meeting federal reporting requirements.
2. Scope
This policy applies to:
- All security incidents affecting Hop And Haul systems
- All safety incidents involving platform users
- All data breaches or suspected breaches
- All denial-of-service or availability incidents
- All compliance violations
3. Incident Response Policy and Procedures (IR-1)
3.1 Policy Statement
Hop And Haul maintains incident response capabilities that:
- Enable rapid detection and response to security incidents
- Minimize impact through effective containment
- Preserve evidence for investigation and legal proceedings
- Meet federal reporting requirements (US-CERT, FedRAMP PMO)
- Support continuous improvement through lessons learned
3.2 Responsibilities
| Role | Responsibilities |
|---|---|
| Security Team | Lead incident response, coordinate activities |
| Safety Operations | Lead physical safety incidents, coordinate with authorities |
| Development Team | Technical containment and remediation |
| Legal/Compliance | Notification requirements, legal coordination |
| Executive Team | Crisis management, external communications |
3.3 Incident Response Team (IRT)
| Position | Primary | Backup | Contact Method |
|---|---|---|---|
| IR Lead | Security Manager | Senior Security Analyst | PagerDuty |
| Technical Lead | Senior Developer | DevOps Lead | PagerDuty |
| Safety Lead | Safety Operations Manager | Fleet Safety Specialist | PagerDuty |
| Legal Contact | General Counsel | Outside Counsel | Phone |
| Communications | CEO | VP Operations | Phone |
4. Incident Response Training (IR-2)
4.1 Training Requirements
| Role | Training Type | Frequency |
|---|---|---|
| All staff | Security awareness | Annual |
| Security team | IR procedures, forensics | Semi-annual |
| Safety operations | Safety incident handling | Quarterly |
| Developers | Secure coding, incident support | Annual |
| Executives | Crisis management | Annual |
4.2 Training Topics
| Topic | Audience | Method |
|---|---|---|
| Incident identification | All staff | Online course |
| Escalation procedures | All staff | Documentation review |
| Evidence preservation | Security, DevOps | Hands-on workshop |
| Federal reporting | Security, Legal | Instructor-led |
| Media handling | Executives | Tabletop exercise |
5. Incident Response Testing (IR-3)
5.1 Testing Schedule
| Test Type | Frequency | Scope |
|---|---|---|
| Tabletop exercises | Quarterly | Full IRT |
| Technical drills | Monthly | Security team |
| Full simulation | Annual | Organization-wide |
| Recovery testing | Semi-annual | DR/BC integration |
5.2 Exercise Scenarios
| Scenario | Type | Objectives |
|---|---|---|
| Data breach | Tabletop | Notification procedures, containment |
| Ransomware | Technical drill | Isolation, recovery |
| Safety incident (kidnapping) | Tabletop | Law enforcement coordination |
| API compromise | Technical drill | Key rotation, access revocation |
| Insider threat | Tabletop | Investigation, evidence preservation |
| DDoS attack | Technical drill | Mitigation, failover |
5.3 Post-Exercise Activities
- Document lessons learned within 5 business days
- Update procedures based on findings within 30 days
- Track corrective actions to completion
- Brief leadership on exercise results
6. Incident Handling (IR-4)
6.1 Incident Categories
| Category | Description | Severity | Response SLA |
|---|---|---|---|
| Safety Critical | Physical harm risk, SOS, kidnapping | Critical | Immediate |
| Data Breach | PII exposure, unauthorized access | Critical | 1 hour |
| System Compromise | Malware, unauthorized access | High | 2 hours |
| Availability | Service outage, DDoS | High | 15 minutes |
| Policy Violation | Compliance breach, misuse | Medium | 4 hours |
| Suspicious Activity | Anomaly, potential threat | Low | 24 hours |
6.2 Incident Response Phases
Phase 1: Detection and Analysis
| Activity | Responsible | Deliverable |
|---|---|---|
| Alert triage | Security analyst | Initial assessment |
| Severity determination | IR Lead | Severity classification |
| Scope assessment | Technical team | Affected systems list |
| Evidence collection | Security team | Forensic snapshot |
Phase 2: Containment
| Activity | Responsible | Timeline |
|---|---|---|
| Short-term containment | Technical team | Within response SLA |
| Evidence preservation | Security team | Before any changes |
| System isolation | Operations | As needed |
| Account suspension | Security team | As needed |
Containment Strategies by Incident Type:
| Incident Type | Primary Containment | Secondary Containment |
|---|---|---|
| Data breach | Revoke compromised access | Isolate affected systems |
| Malware | Network isolation | Endpoint quarantine |
| Account compromise | Disable account | Force session termination |
| API key leak | Rotate key | Block suspicious IPs |
| DDoS | Enable mitigation | Failover to backup |
Phase 3: Eradication and Recovery
| Activity | Responsible | Verification |
|---|---|---|
| Root cause analysis | Security team | Documented findings |
| Threat removal | Technical team | Scan verification |
| System hardening | Operations | Configuration review |
| Service restoration | Operations | Functional testing |
| Monitoring enhancement | Security team | Alert verification |
Phase 4: Post-Incident Activity
| Activity | Timeline | Owner |
|---|---|---|
| Incident documentation | 24 hours | IR Lead |
| Lessons learned meeting | 5 business days | IR Lead |
| Procedure updates | 30 days | Security team |
| External reporting | Per requirements | Legal/Compliance |
6.3 Automated Incident Handling (IR-4(1))
| Automation | Trigger | Action |
|---|---|---|
| Account lockout | 5 failed logins | Automatic 15-min lock |
| Session termination | Security alert | Kill all user sessions |
| IP blocking | Attack pattern | Automatic block (WAF) |
| Key rotation | Anomaly detection | Scheduled rotation |
| Alert escalation | SLA breach | PagerDuty escalation |
7. Incident Monitoring (IR-5)
7.1 Monitoring Sources
| Source | Events Monitored | Alert Threshold |
|---|---|---|
| SIEM | Security events, correlations | Rule-based |
| WAF | Attack patterns, anomalies | Signature match |
| Application logs | Business logic violations | Custom rules |
| Infrastructure | Resource anomalies | Baseline deviation |
| User reports | Suspicious activity | All reports reviewed |
7.2 Incident Tracking
| Metric | Target | Review Frequency |
|---|---|---|
| Mean time to detect (MTTD) | <15 minutes | Monthly |
| Mean time to respond (MTTR) | Per SLA | Monthly |
| Incidents by category | Trend analysis | Monthly |
| False positive rate | <10% | Quarterly |
8. Incident Reporting (IR-6)
8.1 Internal Reporting
| Severity | Notify | Timeline |
|---|---|---|
| Critical | Executive team, Legal | Immediate |
| High | Security Manager, affected stakeholders | 1 hour |
| Medium | Security team lead | 4 hours |
| Low | Security team (ticket) | 24 hours |
8.2 External Reporting Requirements
Federal Reporting (FedRAMP)
| Incident Type | Report To | Timeline | Method |
|---|---|---|---|
| Data breach (PII) | US-CERT, FedRAMP PMO | 1 hour | US-CERT portal |
| System compromise | US-CERT, FedRAMP PMO | 1 hour | US-CERT portal |
| Significant change | FedRAMP PMO | 30 days | Significant change form |
| Monthly summary | FedRAMP PMO | Monthly | ConMon report |
Regulatory Reporting
| Regulation | Trigger | Timeline | Report To |
|---|---|---|---|
| State breach laws | PII breach | 72 hours | State AG |
| FMCSA | Safety incident | Per regulation | DOT |
| Law enforcement | Criminal activity | Immediate | Local/Federal LE |
8.3 Automated Reporting (IR-6(1))
| Report | Trigger | Recipient | Method |
|---|---|---|---|
| Incident summary | Incident closed | Stakeholders | |
| Daily security brief | Scheduled | Security team | Dashboard |
| Weekly summary | Scheduled | Management | |
| ConMon data | Monthly | FedRAMP PMO | Portal upload |
9. Incident Response Assistance (IR-7)
9.1 Internal Resources
| Resource | Availability | Contact |
|---|---|---|
| Security team | 24/7 on-call | PagerDuty |
| DevOps team | 24/7 on-call | PagerDuty |
| Legal counsel | Business hours + emergency | Phone |
9.2 External Resources
| Resource | Purpose | Contact Method |
|---|---|---|
| AWS Support | Infrastructure incidents | AWS Support Portal |
| Cloudflare | WAF/DDoS incidents | Cloudflare Dashboard |
| Forensics firm | Major investigations | Pre-established contract |
| Law enforcement | Criminal matters | Local FBI field office |
| US-CERT | Federal incidents | us-cert.cisa.gov |
10. Incident Response Plan (IR-8)
10.1 Plan Components
| Component | Description | Location |
|---|---|---|
| Contact list | IRT members, stakeholders | Secure wiki |
| Escalation matrix | Decision tree for escalation | This document |
| Playbooks | Step-by-step procedures | Runbook repository |
| Communication templates | Pre-approved messages | Secure wiki |
| Legal requirements | Notification obligations | Legal repository |
10.2 Plan Maintenance
| Activity | Frequency | Owner |
|---|---|---|
| Contact list update | Monthly | Security team |
| Playbook review | Quarterly | Security team |
| Full plan review | Annual | Security Manager |
| Post-incident updates | After each incident | IR Lead |
11. Hop And Haul Safety Incident Response
11.1 Safety-Specific Procedures
| Incident | Initial Response | Escalation |
|---|---|---|
| SOS trigger | Safety ops immediate review | Local 911 if no response |
| Route deviation | Automated check-in prompt | Safety ops contact |
| Driver mismatch | Block ride, alert safety ops | Law enforcement if needed |
| Duress code | Silent alert to safety ops | Law enforcement dispatch |
11.2 Safety Incident Timeline
| Time | Action |
|---|---|
| 0:00 | SOS/alert received |
| 0:02 | Safety ops attempts contact |
| 0:05 | If no response, escalate to supervisor |
| 0:10 | If no response, contact emergency contacts |
| 0:15 | If no response, notify law enforcement |
11.3 Evidence Preservation (Safety)
| Evidence | Retention | Storage |
|---|---|---|
| GPS trail (5 min before) | 7 years | Immutable S3 |
| Communication logs | 7 years | Immutable S3 |
| Device state snapshot | 7 years | Immutable S3 |
| Witness statements | 7 years | Legal repository |
12. POA&M Process for Security Incidents
12.1 Finding Documentation
| Field | Description |
|---|---|
| Finding ID | Unique identifier |
| Discovery date | When finding was identified |
| Source | Incident, assessment, audit |
| Description | Detailed finding description |
| Risk rating | Critical, High, Medium, Low |
| Remediation plan | Steps to address finding |
| Target date | Planned remediation completion |
| Status | Open, In Progress, Closed |
12.2 Remediation Tracking
| Risk Level | Remediation Timeline | Review Frequency |
|---|---|---|
| Critical | 30 days | Weekly |
| High | 90 days | Bi-weekly |
| Medium | 180 days | Monthly |
| Low | 365 days | Quarterly |
13. Related Documents
| Document | Relationship |
|---|---|
| PLCY-INC-001 | Incident response procedures |
| PLCY-RSK-001 | Risk assessment and tabletop exercises |
| PLCY-DRP-001 | Recovery procedures |
| PLCY-FED-003 | Federal risk register |
| PLCY-FED-005 | NIST control mapping |
14. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | December 30, 2025 | Hop And Haul Team | Initial release |