From the Introduction: "There is no one-size-fits-all approach for developing a cyber incident response plan. While some election offices are directly responsible for a large portion of the incident response capability for their systems, many (particularly in small and medium size jurisdictions) rely on vendors or other agencies for activities such as system monitoring, analysis, containment, eradication, and recovery. The structure, scope, and level of detail required for an incident response plan varies widely based on these and other factors. Regardless, all election offices play a critical role in detection of potential cyber incidents--based on system user observations--and notification of appropriate stakeholders. [...] This 'Cyber Incident Detection and Notification Planning Guide' focuses on the common need shared across the election community to effectively recognize and respond to potential cyber incidents. Specifically, the guide builds on existing materials offered by the Nation's election security thought leaders to assist election offices in determining and documenting the following:  Key stakeholders and contact information for incident notification and response;  Incident notification plans providing standardized procedures for notifying appropriate stakeholders of a potential cyber incident based on observed symptoms and level of criticality;  Incident indicators ('symptoms') system users can reference to detect potential cyber incidents and initiate the appropriate notification plan for escalation and reporting."
Cybersecurity and Infrastructure Security Agency: https://www.cisa.gov/