IR-8.1: Breaches

the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;

the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;

the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements.

Incident response policy

procedures addressing incident response planning

incident response plan

system security plan

privacy plan

records of incident response plan reviews and approvals

other relevant documents or records

Organizational personnel with incident response planning responsibilities

organizational personnel with information security and privacy responsibilities

Organizational incident response plan and related organizational processes