Incident Response Plan
Product: Nquiry - Investigation Management Platform Last Updated: January 30, 2026 Version: 1.0 Owner: Joe Etherage (Founder)
1. Purpose
This plan establishes procedures for detecting, responding to, and recovering from security incidents affecting Nquiry. It ensures compliance with FedRAMP IR (Incident Response) controls and protects customer data.
2. Scope
This plan covers:
- Nquiry web application (app.nquiry.ai)
- AWS infrastructure (Cognito, RDS, S3, Amplify)
- Customer data (investigations, evidence, user accounts)
- Landing page (nquiry.ai)
3. Incident Classification
Severity Levels
| Level | Name | Description | Response Time | Examples |
|---|---|---|---|---|
| P1 | Critical | Active breach, data exfiltration, system compromise | Immediate (< 1 hour) | Unauthorized data access, ransomware, credential compromise |
| P2 | High | Security vulnerability exploited, service degradation | < 4 hours | SQL injection attempt, DDoS attack, authentication bypass |
| P3 | Medium | Suspicious activity, potential vulnerability | < 24 hours | Failed login spikes, unusual API patterns, phishing attempts |
| P4 | Low | Minor security event, policy violation | < 72 hours | Single failed login, minor misconfiguration, spam |
Incident Categories
- Unauthorized Access - Breach of authentication/authorization controls
- Data Breach - Unauthorized disclosure of customer data
- Malware - Malicious software detected in systems
- Denial of Service - Service availability impact
- Insider Threat - Malicious or negligent insider activity
- Phishing/Social Engineering - Attempts to obtain credentials
- Vulnerability Exploitation - Active exploitation of known/unknown vulnerability
4. Roles and Responsibilities
Incident Response Team
| Role | Responsibility | Primary Contact |
|---|---|---|
| Incident Commander | Overall response coordination, decisions, communications | Joe Etherage |
| Technical Lead | Investigation, containment, remediation | Joe Etherage (+ Claude Code for implementation) |
| Communications Lead | Customer/stakeholder notifications | Joe Etherage |
Note: As a solo founder operation, Joe serves all roles. As the team grows, responsibilities will be delegated.
External Contacts
| Entity | When to Contact | Contact Method |
|---|---|---|
| AWS Support | Infrastructure issues, suspected AWS compromise | AWS Console → Support |
| US-CERT | P1/P2 incidents affecting federal customers | us-cert.cisa.gov |
| Legal Counsel | Data breach notification requirements | TBD |
| Cyber Insurance | Potential covered incident | TBD (policy pending) |
5. Detection Sources
Automated Monitoring
| Source | What It Detects | Alert Method |
|---|---|---|
| CloudWatch Synthetics | Application availability (uptime) | CloudWatch Alarm → Email |
| Sentry | Application errors, exceptions | Sentry Dashboard + Email |
| AWS CloudTrail | AWS API activity, unauthorized actions | CloudWatch Logs (pending) |
| Cognito | Failed authentications, suspicious logins | CloudWatch Metrics |
| Application Audit Logs | User actions, data access patterns | audit_log table |
Manual Detection
- Customer reports (support@nquiry.ai)
- Security researcher reports
- Routine log review
- Third-party breach notifications (e.g., credential dumps)
6. Response Procedures
Phase 1: Detection & Triage (0-30 minutes)
- Acknowledge alert - Confirm incident is real (not false positive)
- Classify severity - Assign P1-P4 based on impact
- Document initial findings - Create incident ticket with:
- Date/time detected
- Detection source
- Initial assessment
- Affected systems/data
- Escalate if P1/P2 - Immediate action required
Phase 2: Containment (30 min - 4 hours)
Immediate containment options:
| Action | Command/Location | When to Use |
|---|---|---|
| Disable user account | Cognito Console → Users → Disable | Compromised account |
| Revoke all sessions | Cognito → User → Sign out globally | Session hijacking |
| Block IP address | AWS WAF (when enabled) | Active attack source |
| Disable API key | IAM Console → Users → Security credentials | Leaked credentials |
| Enable maintenance mode | Amplify → Environment variables → MAINTENANCE_MODE=true | Active exploitation |
| Isolate RDS | Modify security group to deny all | Database compromise |
| Disable S3 bucket | S3 → Block public access + deny policy | Data exfiltration |
Do NOT:
- Delete logs or evidence
- Restart systems before capturing state
- Communicate externally before internal alignment
Phase 3: Investigation (Ongoing)
-
Preserve evidence
- Export CloudTrail logs
- Export application audit logs
- Snapshot affected RDS instance
- Capture CloudWatch logs
- Document timeline
-
Determine scope
- What data was accessed/exfiltrated?
- Which users/organizations affected?
- What was the attack vector?
- Is the attacker still present?
-
Root cause analysis
- How did the incident occur?
- What controls failed?
- Was this preventable?
Phase 4: Eradication & Recovery
-
Remove threat
- Patch vulnerability
- Remove malware
- Reset compromised credentials
- Revoke unauthorized access
-
Restore services
- Verify systems are clean
- Restore from backup if needed
- Re-enable disabled services
- Monitor for recurrence
-
Validate recovery
- Test application functionality
- Verify data integrity
- Confirm security controls active
Phase 5: Post-Incident
-
Conduct retrospective (within 5 business days)
- What happened?
- What went well?
- What could improve?
- Action items
-
Update documentation
- This incident response plan
- Runbooks for specific scenarios
- Security controls
-
Implement improvements
- Address root cause
- Enhance detection
- Update training
7. Notification Requirements
FedRAMP Requirements
| Incident Type | Notification Timeline | Notify |
|---|---|---|
| Significant incident (P1) | Within 1 hour | US-CERT, Affected agency |
| Data breach affecting federal data | Within 1 hour | US-CERT, Affected agency |
| Other security incidents (P2) | Within 24 hours | Affected agency |
US-CERT Reporting: https://us-cert.cisa.gov/report
HIPAA Breach Notification Requirements
Per proposed 2026 HIPAA Security Rule:
| Notification Type | Timeline | Recipient |
|---|---|---|
| Business Associate → Covered Entity | Within 24 hours | Covered Entity (customer) |
| Covered Entity → Affected Individuals | Within 60 days | Affected individuals |
| Covered Entity → HHS | Within 60 days (or immediately if >500 individuals) | HHS Secretary |
| Covered Entity → Media | If >500 residents in a state | Local media |
Critical: Nquiry is a Business Associate. Upon discovery of a breach involving PHI, we must notify the Covered Entity (our customer) within 24 hours. This is a significant reduction from the previous 60-day requirement.
Breach Notification Checklist:
- ☐ Confirm breach involves unsecured PHI
- ☐ Identify affected Covered Entity customers
- ☐ Prepare breach notification with required elements:
- Nature of breach and PHI involved
- Date of breach and discovery
- Steps taken to mitigate harm
- Steps individuals should take
- Contact information for questions
- ☐ Send notification within 24 hours of discovery
- ☐ Document notification sent (date, recipient, content)
- ☐ Provide follow-up information as investigation continues
Customer Notification
| Situation | Timeline | Method |
|---|---|---|
| PHI breach - unauthorized access/disclosure of PHI | Within 24 hours | Email to Covered Entity (customer) |
| Data breach - confirmed unauthorized access to customer data | Within 72 hours | Email to affected users + in-app banner |
| Service disruption - extended outage (> 4 hours) | During incident | Status page (when available) |
| Security advisory - recommended customer action | Within 24 hours | Email to all users |
Notification Template (Data Breach)
Subject: Security Notice - Action Required
Dear [Customer Name],
We are writing to inform you of a security incident that may have affected your data.
What happened:
[Brief, factual description]
What information was involved:
[Types of data potentially affected]
What we are doing:
[Actions taken to address the incident]
What you can do:
[Recommended actions - e.g., change password, enable MFA]
For more information:
Contact us at security@nquiry.ai
We sincerely apologize for any concern this may cause.
Joe Etherage
Founder, JE Vectors LLC (Nquiry)
8. Evidence Preservation
What to Preserve
- CloudTrail logs (90 days retained by default)
- Application audit logs (
audit_logtable) - CloudWatch logs
- RDS snapshots
- S3 access logs
- Cognito authentication logs
- Network flow logs (if enabled)
Preservation Procedure
# Export CloudTrail logs to secure bucket
aws cloudtrail lookup-events --start-time <incident_start> --end-time <incident_end> > cloudtrail_export.json
# Create RDS snapshot
aws rds create-db-snapshot --db-instance-identifier invapp-dev-postgres --db-snapshot-identifier incident-YYYY-MM-DD
# Export audit logs
psql $DATABASE_URL -c "COPY (SELECT * FROM audit_log WHERE created_at >= '<start>' AND created_at <= '<end>') TO STDOUT WITH CSV HEADER" > audit_log_export.csv
Chain of Custody
Document for each piece of evidence:
- What was collected
- When it was collected
- Who collected it
- Where it is stored
- Hash/checksum for integrity
9. Communication Templates
Internal Status Update
INCIDENT UPDATE - [Severity] - [Date/Time]
Status: [Investigating | Contained | Resolved]
Affected: [Systems/customers]
Current actions: [What's being done]
Next update: [Time]
Executive Summary (Post-Incident)
INCIDENT SUMMARY
Incident ID: INC-YYYY-MM-DD-XXX
Severity: [P1-P4]
Duration: [Start] to [End]
Impact: [Users/data affected]
Root cause: [Brief description]
Resolution: [Actions taken]
Follow-up: [Planned improvements]
10. Runbooks
Runbook: Compromised User Account
- Disable user in Cognito Console
- Revoke all sessions (sign out globally)
- Check
audit_logfor user's recent activity - Identify any data accessed/modified
- Reset password (force password change)
- Notify user of compromise
- Review how credentials were compromised
- Re-enable account after user verification
Runbook: Suspected Data Breach
- Immediately: Assess scope - what data, which customers
- Within 1 hour: If federal data involved, notify US-CERT
- Create RDS snapshot for evidence
- Export relevant audit logs
- Identify attack vector
- Contain (block access, patch vulnerability)
- Prepare customer notification
- Engage legal counsel for notification requirements
- Document everything for compliance
Runbook: DDoS Attack
- Check CloudWatch for traffic patterns
- Enable AWS Shield (if not already)
- Configure WAF rate limiting rules
- If using CloudFront, enable additional DDoS protections
- Consider enabling Amplify WAF
- Monitor and adjust rules as attack evolves
- Document attack patterns for future prevention
11. Testing & Maintenance
Plan Testing
| Activity | Frequency | Next Due |
|---|---|---|
| Tabletop exercise - Walk through scenario | Quarterly | Q2 2026 |
| Technical drill - Practice containment procedures | Annually | Q3 2026 |
| Plan review - Update contacts, procedures | Annually | January 2027 |
Tabletop Scenarios
- Scenario A: Customer reports unauthorized access to their investigation
- Scenario B: Security researcher reports SQL injection vulnerability
- Scenario C: AWS notifies of compromised IAM credentials
- Scenario D: Ransomware detected on development machine
12. Quick Reference
Emergency Contacts
| Contact | Phone | |
|---|---|---|
| Joe Etherage (Incident Commander) | [REDACTED] | joe@nquiry.ai |
| AWS Support | Console | aws.amazon.com/support |
| US-CERT | (888) 282-0870 | us-cert.cisa.gov/report |
Key AWS Console Links
Critical Commands
# Check recent audit logs
psql $DATABASE_URL -c "SELECT * FROM audit_log ORDER BY created_at DESC LIMIT 50"
# List Cognito users
aws cognito-idp list-users --user-pool-id $COGNITO_USER_POOL_ID
# Disable Cognito user
aws cognito-idp admin-disable-user --user-pool-id $COGNITO_USER_POOL_ID --username <email>
# Create emergency RDS snapshot
aws rds create-db-snapshot --db-instance-identifier invapp-dev-postgres --db-snapshot-identifier emergency-$(date +%Y%m%d-%H%M%S)
Revision History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-30 | Joe Etherage | Initial version |
| 1.1 | 2026-02-04 | Claude | Added 24-hour BA breach notification per proposed 2026 HIPAA Security Rule |