Which option best represents the minimum content that must be included in an incident response plan?

• A. Roles, responsibilities, and communication strategies in the event of a compromise; specific incident response procedures; business recovery and continuity; data backup processes; analysis of legal requirements for reporting compromises; coverage of all critical system components; and reference or inclusion of incident response procedures from payment brands.
• B. Roles, responsibilities, and communication strategies in the event of a compromise; only data backup procedures.
• C. Remote monitoring indicators and alert thresholds.
• D. A plan focusing solely on network segmentation.

Answer: (B)

The main idea here is that an incident response plan must establish governance for how to act when a compromise occurs. The minimum content should clearly define who is involved, what their roles and responsibilities are, and how people and teams will communicate during an incident. Including data backup procedures fits as part of that minimum because it directly supports recovery and continuity after an incident, ensuring critical data can be restored and operations can resume.

Other choices introduce elements that go beyond the essential, or focus on detection and architecture rather than the basic plan structure. For example, remote monitoring indicators pertain to detecting incidents, not outlining the core plan’s required content; and a plan focused only on network segmentation misses the essential incident response governance and recovery steps.