Skill

legalcode-incident-response-plan-builder

Build comprehensive Incident Response Plans (IRP) covering the full incident lifecycle: preparation, detection and analysis, containment, eradication, recovery, and post-incident activities. Use when building an IRP from scratch, reviewing or updating an existing plan, responding to a live security incident, or preparing tabletop exercises. Produces a complete IRP document package including RACI matrix for cross-functional incident response team roles (legal, IT security, privacy/DPO, communications, executive, HR, external counsel, forensics), severity classification framework (P1-P4 with escalation triggers and response SLAs), regulatory notification decision trees (GDPR Art. 33-34, NIS2 Art. 23, US state breach laws, UK ICO, Australian OAIC, Canadian OPC, SEC Form 8-K), legal privilege protection architecture (dual-track investigation model, attorney-client privilege safeguards, Kovel doctrine application), evidence preservation protocols (chain of custody, legal hold, forensic integrity), six communication templates (internal, executive, board, regulatory, individual, media, customer), tabletop exercise scenarios with inject cards, and post-incident review framework. Aligned with NIST SP 800-61r3 (CSF 2.0, April 2025), NIST SP 800-86, GDPR Art. 33-34, NIS2 Directive Art. 23, ISO/IEC 27035-1/2/3 (2023), ISO/IEC 27037, SANS 6-phase IH&R framework, and CISA incident response guidance. Operates in two modes: pre-incident plan-building and live incident response. Integrates with legalcode-breach-severity-assessment, legalcode-breach-regulatory-notification-drafter, legalcode-us-breach-notification-triage, and legalcode-dsar-workflow-builder.