1. Purpose
Provide a structured approach for detecting, responding to and recovering from security incidents.
2. Scope
Applies to all information systems, personnel and third parties.
3. Definitions
- Event: Observable occurrence in system or network.
- Incident: Event that compromises confidentiality, integrity or availability.
4. Roles
| Role | Duty |
| Incident Commander | Coordinates response; usually ISM or delegate |
| Communications Lead | Handles internal/external comms; works with Marketing & Legal |
| Technical Lead | Performs investigation & remediation |
| Scribe | Maintains timeline & evidence |
5. Phases
- Preparation – Training, runbooks, tooling (Better Stack, SIEM).
- Identification – Alerts from SIEM, customer report, anomaly detection.
- Containment – Short-term (isolate systems), long-term (patch, reimage).
- Eradication – Remove root cause (malware, vuln).
- Recovery – Restore services, monitor for re-occurrence.
- Lessons Learned – Post-mortem within 5 business days.
6. Severity Matrix
| Sev | Criteria | Response Time |
| 1 – Critical | Data breach, widespread outage | ≤ 15 min |
| 2 – High | Limited customer impact | ≤ 30 min |
| 3 – Medium | Internal system issue | ≤ 4 h |
| 4 – Low | No immediate impact | 24 h |
7. Notification Obligations
- GDPR Article 33 – Notify DPA within 72 h when personal data breach likely to result in risk.
- Customers informed via e-mail & status page.
- Law enforcement involvement via Legal.
8. Evidence Handling
Follow chain-of-custody; logs exported to write-once storage; hash verified.
9. Post-Incident Review
Root-cause analysis (RCA) meeting produces corrective actions logged in Jira; track to closure.
10. Testing
Conduct at least 6 tabletop exercises per year (bi-monthly); critical runbooks tested bi-monthly.
Version 1.0 — effective 2025-07-01