A lightweight structure for organizations that need to know who does what, how to contain common incidents, and what to communicate when something goes wrong.
Keep a copy somewhere available when email or internal systems are unavailable. The goal is not a perfect plan; it is a short plan your team can actually follow under stress.
| Role | Name | Phone / backup contact | Authority |
|---|---|---|---|
| Primary responder | Name... | Phone... | Coordinates first technical response. |
| Decision maker | Name... | Phone... | Can disable accounts, take systems offline, notify stakeholders. |
| Communications owner | Name... | Phone... | Drafts staff, funder, customer, or public communications. |
| External support | Provider... | After-hours contact... | IT, security, legal, insurance, hosting, or platform support. |
| Scenario | Immediate action | Check next | Communication trigger |
|---|---|---|---|
| Compromised account | Reset password, revoke sessions, verify MFA. | Forwarding rules, connected apps, recent file/email activity. | If sensitive data, donors, sources, clients, or funders may be affected. |
| Compromised device | Disconnect from network, do not wipe immediately. | Accounts used on device, files stored locally, backups. | If device contained regulated, legal, source, or beneficiary data. |
| Ransomware or malware | Isolate affected systems and preserve evidence. | Backup integrity, shared drives, admin accounts, lateral movement. | If services, records, or personal data are unavailable or exposed. |
| Data exposure | Remove exposure or restrict access. | What data, who accessed it, how long it was exposed. | If notification obligations or ethical obligations may apply. |
Secure Origin helps small teams turn this template into a tested incident response plan with roles, escalation, containment steps, and practical exercises.