GENERAL ORDERS LINCOLN POLICE DEPARTMENT
SUBJECT: CJIS/NCIC PROCEDURES
TITLE: CYBERSECURITY INCIDENT RESPONSE PLAN
EFFECTIVE DATE: JUNE 1, 2025
REVISION DATE:
ACCREDITATION: ALABAMA ASSOCIATION OF CHIEFS OF POLICE (AACOP)
APPROVAL: CHIEF DARREN E. BRITTON
CYBERSECURITY INCIDENT RESPONSE PLAN
1204.1 PURPOSE AND SCOPE
The Cybersecurity Incident Response Plan (CSIRP) outlines the procedures for promptly identifying, managing, and mitigating cybersecurity incidents that could affect the Lincoln Police Department's information systems, sensitive data, and technology services. This plan ensures a structured and efficient response to safeguard the department's digital assets and maintain operational continuity in the face of potential cyber threats.. The primary objectives of this plan are to:
(a) Minimize operational disruption.
(b) Protect critical assets and data integrity.
(c) Ensure business continuity.
(d) Comply with legal, regulatory, and contractual obligations.
This plan applies to all individuals accessing the Lincoln Police Department's information systems, including:
(a) Employees.
(b) Contractors.
(c) Third-party service providers. Covered incidents include, but are not limited to:
(a) Malware infections (e.g., viruses, worms, Trojans).
(b) Phishing attacks (email, SMS, or social engineering-based).
(c) Data breaches (unauthorized access to sensitive data).
(d) Denial-of-Service (DoS) or Distributed DoS (DDoS) attacks.
(e) Ransomware attacks (file encryption and extortion demands).
(f) Insider threats (malicious or accidental actions by authorized personnel).
1204.2 POLICY
This plan is designed to safeguard the Lincoln Police Department's critical infrastructure, systems, and sensitive data by ensuring rapid, coordinated, and effective responses to cybersecurity threats. It is a dynamic and evolving document, continuously updated to reflect emerging threats, best practices, and lessons learned from past incidents. The Information Security Officer (ISO) is designated as the primary authority responsible for overseeing, managing, and executing the department's incident response strategy and activities.
1204.3 CYBERSECURITY INCIDENT RESPONSE TEAM (CSIRT)
The Cybersecurity Incident Response Team (CSIRT) is a specialized group dedicated to preparing for and responding to cybersecurity threats. Its primary purpose is to effectively identify, manage, and mitigate cybersecurity incidents that may impact the Lincoln Police Department's information systems, data, and technology services.
1204.3.1 CSIRT ACTIVATION
The Cybersecurity Incident Response Team (CSIRT) is activated by the Team Lead immediately upon the notification of a suspected or confirmed cybersecurity incident. The Team Lead evaluates the severity and scope of the incident, ensuring that all necessary persons are informed and the appropriate response protocols are initiated. Once activated, the CSIRT is responsible for executing the incident response strategy, coordinating containment, eradication, and recovery efforts, and ensuring continuous communication with internal and external stakeholders. The team's activation ensures a rapid and organized response, minimizing the potential impact on the Lincoln Police Department's information systems, data, and operations.
1204.3.2 ROLES AND RESPONSIBILITIES
The composition of the CSIRT is determined on a per incident basis and includes the following three positions and as many additional positions as warranted by an incident.
(a) Team Lead
Role: Responsible for overall incident response coordination and decision- making. MSP
(b) Representative
1. Role: Provides technical expertise for containment, eradication, and recovery.
(c) Department Representative - (Department Head or designee)
Role: Provide input on priorities for restoring critical functions and help implement post-incident recommendations within their department
Additional members may be activated on a per-incident basis for High—or Critical-Severity incidents to ensure alignment with city policies and to communicate with stakeholders.
Activation requests shall be made by the Team Lead and approved by the mayor.
(a) Elected Official Liaison - (Mayor or City Council Representative)
Role: Provide policy guidance, authorize emergency measures, and act as a public-facing figure when necessary.
(b) Law Enforcement Liaison - (Police Chief or designee)
1. Role: Facilitates communication with local, state, or federal law enforcement agencies.
(c) Legal Counsel
Role: Advises on compliance with legal and regulatory requirements.
(d) Public Information Officer
Role: Manages internal and external communication, including public and media relations.
(e) Cyber Security Governance Team Members
Role: Ensure alignment with cybersecurity policies.
1204.4 INCIDENT REPORTING
Incident Reporting ensures that the incident is tracked, assessed, and addressed promptly to mitigate its impact. Reporting is a crucial part of the incident response cycle and helps ensure that incidents are properly documented, managed, and communicated both internally and externally.
See attachment: Cybersecurity Incident Response Form.pdf
(a) Reporting Requirements:
All suspected incidents must be reported immediately to the Team Lead or MSP Representative.
(b) Contact Details:
Provide phone numbers, email addresses, and alternative communication channels for reporting.
(c) Incident Log - Maintain a log capturing the following details:
Date and time of the report.
Description of the incident.
Reporting party details.
1204.5 INCIDENT RESPONSE PROCEDURES
These procedures are designed to detect, mitigate, and recover from security incidents, ensuring minimal damage to systems, data, and reputation. The goal is to restore normal operations as quickly as possible while preserving evidence for forensic analysis.
(a) Triage and Assessment
Identify the type, scope, and severity of the incident.
Prioritize response based on the potential impact on critical systems and data.
(b) Containment
Isolate affected systems or networks to prevent lateral spread.
2. Disable compromised accounts and reset passwords.
3. Preserve logs, forensic evidence, and other relevant data.
(c) Eradication
Remove malicious software and identify the attack vector.
2. Patch vulnerabilities exploited during the incident.
(d) Recovery
Restore systems from verified backups.
Test system functionality to ensure normal operation.
3. Monitor for residual activity or further compromise.
(e) Post-Incident Review
Conduct a debrief with the IRT to identify lessons learned.
Update the IRP to incorporate improvements.
Provide an incident report detailing the timeline, actions taken, and outcomes.
1204.6 COMMUNICATION PLAN
Critical information shall be shared accurately and efficiently, reducing confusion and helping to maintain trust with all during a cybersecurity crisis. Clear, timely, and coordinated communication helps mitigate the impact of an incident, ensure compliance with legal and regulatory obligations.
(a) Internal Communication
Notify affected employees and departments.
Maintain secure communication channels during response efforts.
(b) External Communication (s needed)
Designate a spokesperson to communicate with the media and the public.
Coordinate messages to ensure accuracy and consistency.
(c) Social Media Monitoring (as needed)
Monitor platforms for public sentiment and misinformation.
1204.7 TRAINING AND EXERCISES
Simulated Drills:
(a)Hold annual tabletop exercises to evaluate the IRT's readiness.
1204.8 PLAN REVIEW AND UPDATES
Frequency:
(a) Review the IRP at least annually or after significant incidents. Triggers for Updates to the IRP:
(a) Technology or infrastructure changes.
(b) Emerging threats.
(c) Regulatory requirements.
1204.9 DATA BACKUP AND RECOVERY
Regularly back up critical data with off-site or cloud storage options.
Test restoration processes quarterly to validate integrity and speed of recovery.
1204.10 INSURANCE AND LEGAL CONSIDERATIONS
Cyber Insurance: Ensure adequate coverage for incident-related costs.
Compliance: Regularly review local, state, and federal cybersecurity regulations to ensure adherence.
1204.11 CONTACT DETAILS TBD
1204.12 SECURITY LEVEL AND RESPONSE PRIORITY
Security Level and Response Priority are essential elements of an Incident Response Plan (IRP). This will categorize cybersecurity incidents based on their severity and provide guidance on the appropriate response efforts. Classifying incidents into different levels of severity and assigning a corresponding response priority ensures that security threats are responded to efficiently and organized, minimizing potential damage.
Security
Level Description Impact Response Examples
Level
Description Impact Response
Priority
Examples
Critical Major disruption to critical services. Data integrity or confidentiality compromised.
High Significant disruption to services or systems.
Moderate Limited disruption,
but potential for escalation.
Low Minor disruption or negligible risk.
Widespread impact on operations, significant legal
or regulatory consequences.
Localized operational impact, potential for legal or regulatory issues.
Moderate operational impact, no immediate
legal or regulatory concerns.
No significant operational or data impact.
Immediate Ransomware
attacks on city services and data breaches affect sensitive citizen information.
High Phishing attack compromising multiple accounts.
Medium Malware infection on isolated systems.
Low Suspicious email reported, but no compromise.
1204.13 CHECKLIST FOR INCIDENT RESPONSE STEPS
This checklist helps ensure that the incident is handled systematically, with all necessary steps taken to contain, mitigate, and resolve the issue, as well as document the actions for future reference and compliance.
Step 1: Detection and Reporting
Verify the incident report.
Log the incident with initial details (who, what, where, when, how).
Notify the Cybersecurity Incident Response Team (CSIRT).
Step 2: Triage and Assessment
Determine the type of incident (malware, phishing, breach, etc.)
Assess the potential impact on critical systems, data, or services.
Categorize the severity level (1205.12 Security Level and Response Priority).
Step 3: Containment
Isolate affected systems from the network.
Block malicious IP addresses or accounts.
Secure forensic evidence (logs, affected files).
Step 4: Eradication
Scan and remove malicious files or software.
Identify and fix exploited vulnerabilities.
Apply patches or updates to systems.
Step 5: Recovery
Restore systems from verified backups.
Validate system functionality.
Monitor systems for any residual malicious activity.
Step 6: Post-Incident Review
Conduct a debrief with the IRT.
Document the timeline, actions taken, and lessons learned.
Update the Cybersecurity Incident Response Plan (CSIRP) as needed.
These policies and operating procedures are not designed to cover every possible scenario or situation in society, but rather to define standard operating procedures for members of the Lincoln Police Department. These guidelines are subject to past, present and future judicial review. These guidelines can be amended and or repealed by the Chief of Police as necessary. The policies and procedures herein provided supersede all previous policies and orders.