Incident Response Plan

Executive Summary - Public Edition
Owner: Office of the Chief Information Security Officer
Standards: NIST SP 800-61 Rev. 2; HIPAA 45 C.F.R. § 164.308(a)(6); HIPAA Breach Notification Rule at 45 C.F.R. § 164.404 to § 164.414
Full plan and runbooks: Released to assessors and customers under non-disclosure agreement.

1. Purpose and Scope

This summary describes the incident response posture of JIL Sovereign Technologies, Inc. (the "Company") with respect to events that may compromise the confidentiality, integrity, or availability of the Company's information systems and any Personal Information or Protected Health Information processed thereon. The plan applies to all personnel, all production environments, and all subprocessors with access to customer data.

2. Definitions

Event: any observable occurrence in a system or network.
Security Event: an event that may have a security implication, requiring triage.
Security Incident: a confirmed adverse Security Event.
Breach: as defined at 45 C.F.R. § 164.402, an acquisition, access, use, or disclosure of Unsecured PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI, subject to the four-factor risk assessment in the same section.

3. Phases of the Plan

The plan implements the six-phase NIST SP 800-61 Rev. 2 lifecycle:

Preparation: continuous. Tooling, runbooks, training, tabletop exercises.
Detection and Analysis: 24-hour detection objective for material security events; sources include AWS GuardDuty, AWS CloudTrail anomaly rules, application-level monitors, and human report.
Containment: short-term containment within 60 minutes of confirmation; long-term containment as appropriate.
Eradication: removal of the cause and verification of eradication.
Recovery: restoration of normal operations with verification testing.
Post-Incident Activity: lessons-learned review within 30 days; written post-mortem retained for the lifetime of the Company; risk register update.

4. Incident Severity Tiers

Severity	Definition	Customer Notification
SEV-1	Confirmed Breach of Unsecured PHI; or material outage of customer-facing services exceeding 60 minutes; or compromise of a privileged credential.	Within 60 minutes of confirmation; status updates every 4 hours until resolution.
SEV-2	Suspected Breach pending investigation; or partial outage; or successful exploitation of a non-privileged credential.	Within 4 hours of confirmation if customer impact is reasonably anticipated.
SEV-3	Localized degradation; or unsuccessful exploitation attempt; or detected anomaly under investigation.	Reported in monthly aggregate to customers requesting such reporting; immediate notice not required.
SEV-4	Informational. No customer impact.	Internal record only.

5. Roles

Incident Commander: senior on-call engineer with authority to direct response; rotates weekly.
Communications Lead: drafts and sends customer notifications, coordinates with the General Counsel's office.
Forensics Lead: preserves evidence, drives root-cause analysis.
Customer Liaison: single point of contact per affected customer; manages bilateral updates.
General Counsel: assesses regulatory notification obligations; coordinates with outside breach counsel where retained.
CISO: ultimate accountability; signs the post-incident report.

6. Customer Notification Content

Customer notifications include, to the extent known at the time of notice:

identification of each Individual whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed;
brief description of what happened, the date of the incident, and the date of discovery;
description of the types of Unsecured PHI involved (without including the PHI itself);
steps Individuals should take to protect themselves;
brief description of investigation, mitigation, and prevention activities;
contact procedures for Individuals to ask questions or learn more.

This content satisfies 45 C.F.R. § 164.404(c). The Company's targeted notification timeline (60 minutes from confirmation) substantially exceeds the statutory floor of 60 days.

7. Evidence Preservation

Forensic evidence is preserved consistent with the Company's standard chain-of-custody practices summarized at /docs/legal/JIL_Chain_of_Custody_Attestation_Template.html. AWS CloudTrail and S3 Object Lock Compliance mode prevent tampering of audit records during an investigation; all incident-related work product is protected by the attorney-client privilege where engaged through counsel.

8. Tabletop Exercises

The Company conducts tabletop exercises at least quarterly. Scenarios rotate across PHI breach, account takeover, ransomware, subprocessor compromise, regulatory request, and lawful demand. Findings drive updates to runbooks and training. Annual exercise summaries are available to assessors under non-disclosure agreement.

9. Continuous Improvement

Post-incident lessons-learned are incorporated into the risk register, the policy set, and quarterly training. The Incident Response Plan itself is reviewed at least annually and after every SEV-1 incident.