Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control. Such incident response plan shall address the following areas:

The goals of the incident response plan;

• (1) The internal processes for responding to a security event;

• (2) The definition of clear roles, responsibilities, and levels of decision-making authority;

• (3) External and internal communications and information sharing;

• (4) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;

• (5) Documentation and reporting regarding security events and related incident response activities; and

• (6) The evaluation and revision as necessary of the incident response plan following a security event.