Incident Response Plan

1. Purpose

Provide a structured approach to manage information security incidents, protect customer data, and comply with TSC CC7.2 & CC7.3.

2. Definitions

• Security Incident – Unauthorised access, use, disclosure, modification, or destruction of information assets.
• Major Incident – Incident that affects >5% of customers, involves PII, or triggers regulatory reporting obligations.

3. Roles & Responsibilities

4. Phases

1. Detection & Reporting – SIEM, bug bounty or employee raises Better Stack.
2. Triage – IC assesses severity & scope within 15 min.
3. Containment – Isolate affected systems, revoke credentials.
4. Eradication – Patch vulnerabilities, restore clean state.
5. Recovery – Validate systems, monitor for recurrence.
6. Lessons Learned – Post-mortem within 5 business days; corrective actions tracked in Jira.

5. Notification

• Customers informed within 24 h for Major Incidents.
• Regulators (e.g., DPA) notified within 72 h where required.

6. Testing

Tabletop exercise bi-monthly; live simulation annually.

7. Evidence

All steps logged in Better Stack & Slack channel archived to GDrive.

8. Escalation Path

If the on-call engineer (Incident Commander) does not acknowledge within 15 minutes, Better Stack automatically escalates: 1. DevOps Secondary – senior SRE on the rota. 2. Head of Product – ultimate business owner for customer-impacting incidents.

Escalation steps are configured in Better Stack under Incident Playbook → Escalation and reviewed bi-monthly.

9. Contact List

Evidence ID: IR-02 (see Controls Matrix pending).

Version 1.0