Skip to main content

Incident Response Plan

Incident Response Plan

Incident Response Plan Overview 


This document provides a brief overview of the Incident Response Plan and offers guidance for employees or incident responders who believe they have discovered or are responding to a security incident. 


The Incident Response Plan applies to all parties that access AC Transit information (e.g., employees, contractors, third-party, and Managed Service Providers). This plan covers all information systems, applications, and data owned, operated, or managed by AC Transit. 

Incident Response Process 

AC Transit executes the Incident Response Plan within the seven phases of Incident Response: Detection, Notification, Analysis, Containment, Eradication, Recovery, and Post Incident Activity. 

Incident Reporting & Documentation 


  • Upon discovering an issue (e.g., vulnerability/threat), contact AC Transit:  
  • Insert Contact Form 

Reports should include specific details about what has been observed or discovered. 


All reported security events, incidents, and response activities shall be logged, assigned a severity level (low/medium, high, or critical), backed up, and saved. 



  • Issues meeting this severity have a minor impact on a small portion of the enterprise.  
  • Action Timeline: Within 24 hours 


  • Issues meeting this severity have some impact on a small portion of the enterprise.  
  • Action Timeline: Within 4 hours 


  • Issues meeting this severity involve the loss of a major service within the enterprise.  
  • Action Timeline: Immediately 


  • Issues meeting this severity have an extreme impact on the enterprise.  
  • Action Timeline: Immediately 

Incident Response Process 

For critical issues, the response team will follow a rigorous response process designed to investigate, contain exploitation, eradicate the threat, recover system and services, remediate vulnerabilities, and document a post-incident review, cataloging the lessons learned to avoid similar issues in the future. 


  • Event reported 
  • Triage and analysis 
  • Investigation 
  • Containment & neutralization (short term work) 
  • Recovery & vulnerability remediation 
  • Hardening & Detection improvements (lessons learned, long term work) 
  • promptly and properly notify customers, partners, users, affected parties, and regulatory agencies of relevant incidents or breaches in accordance with AC Transit policies, contractual commitments, and regulatory requirements. 

Roles & Responsibilities 

Every employee and user of any AC Transit information resources has responsibilities toward the protection of the information assets. The table below establishes the specific teams included in the Incident Response Team: 

Chief Information Officer  Chief Information Security Officer 
Vice President of Human Resources Affected system or operations representative(s) 
Legal Counsel Marketing 
Senior Management (General Manager) Public Relations 
Chief Financial Officer (CFO)  IT Manager 
Chief Operations Officer (COO) Call Center/Operations Control Center operations 
Internal Investigator(s) Any other person(s)/entity deemed appropriate 

Management Commitment 

AC Transit management is committed to providing the resources, tools and training needed to reasonably respond to identified security events and incidents with the potential to adversely affect the company and/or its customers. 

Violations & Enforcement 

Any known violations of this policy should be reported to the IT Manager. Violations of this policy may result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment. 


Version Description Date Author Approved By 
1.0 First Version 2/15/2024 IT Department CIO