Incident Response Policy

Property	Value
Document ID	POL-008
Version	1.0
Status	Draft
Owner	Chief Information Security Officer (CISO)
Last Updated	2026-01-11
Next Review	2027-01-11
Related Controls	SOC 2: CC7.3, CC7.4, CC7.5 / ISO 27001: A.16.1

1. Purpose

This policy establishes requirements for identifying, responding to, and recovering from security incidents. A structured incident response process minimizes damage, reduces recovery time, and supports continuous improvement of security controls.

2. Scope

This policy applies to:

Incidents: All security events that threaten confidentiality, integrity, or availability
Systems: All information systems, data, and infrastructure
Personnel: All employees, contractors, and third parties
Locations: All facilities and remote work environments

3. Policy Statements

3.1 Incident Definition

A security incident is any event that:

Compromises the confidentiality, integrity, or availability of information
Violates security policies or acceptable use policies
Involves unauthorized access to systems or data
Results from malware, phishing, or other attack vectors
Causes or may cause harm to the organization

3.2 Incident Severity Classification

Severity	Definition	Examples	Response Time
Critical (P1)	Active breach, significant data loss, business-impacting	Ransomware, confirmed data breach, complete service outage	Immediate (15 min)
High (P2)	Potential breach, significant threat, limited impact	Malware detected, privilege escalation, targeted attack	1 hour
Medium (P3)	Security violation, policy breach, contained threat	Unauthorized access attempt, phishing click, policy violation	4 hours
Low (P4)	Suspicious activity, minor violation, informational	Failed login attempts, spam, vulnerability discovered	24 hours

3.3 Incident Response Team (IRT)

Role	Responsibilities	Primary	Backup
Incident Commander	Overall coordination, decisions, communication	CISO	Security Lead
Technical Lead	Technical investigation and remediation	Security Engineer	Sr. DevOps
Communications	Internal and external communications	PR/Comms	Legal
Legal	Legal guidance, regulatory notification	General Counsel	Outside Counsel
Business Liaison	Business impact assessment	COO	Business Unit Head

3.4 Incident Response Phases

┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐
│ Preparation │───▶│ Detection   │───▶│ Containment │───▶│ Eradication │───▶│  Recovery   │───▶│  Lessons    │
│             │    │ & Analysis  │    │             │    │             │    │             │    │  Learned    │
└─────────────┘    └─────────────┘    └─────────────┘    └─────────────┘    └─────────────┘    └─────────────┘

Phase 1: Preparation

Maintain incident response plan and playbooks
Train incident response team
Test response capabilities (tabletop exercises)
Ensure tools and access are available
Maintain contact lists and escalation paths

Phase 2: Detection & Analysis

Identify and validate security events
Determine incident scope and severity
Collect and preserve evidence
Document timeline of events
Engage appropriate response team members

Phase 3: Containment

Isolate affected systems
Prevent further damage or spread
Implement short-term containment measures
Preserve evidence for investigation
Maintain business continuity where possible

Phase 4: Eradication

Remove malware or malicious artifacts
Address root cause vulnerabilities
Verify threat is eliminated
Reset compromised credentials
Patch affected systems

Phase 5: Recovery

Restore systems from clean backups
Validate system integrity
Monitor for recurrence
Gradually return to normal operations
Confirm business processes restored

Phase 6: Lessons Learned

Conduct post-incident review
Document root cause and timeline
Identify improvement opportunities
Update procedures and controls
Share learnings with stakeholders

3.5 Reporting Requirements

Internal Reporting

Incident Type	Report To	Timeline
All incidents	Security Team	Immediately
P1/P2 incidents	CISO, Executive Team	Within 1 hour
Employee-related	HR	Within 24 hours
Financial impact	CFO	Within 24 hours

External Reporting

Requirement	Notification To	Timeline
Data breach (GDPR)	Supervisory Authority	72 hours
Data breach (affected individuals)	Data Subjects	Without undue delay
Regulatory breach	Relevant Regulator	Per regulation
Law enforcement	Police/FBI	As appropriate
Cyber insurance	Insurance Carrier	Per policy terms

3.6 Evidence Handling

Requirement	Standard
Preservation	Preserve all logs, artifacts, and evidence
Chain of Custody	Document who handles evidence and when
Integrity	Hash files to verify integrity
Storage	Secure, access-controlled storage
Retention	Retain evidence for 7 years (or per legal hold)

3.7 Communication Guidelines

Do:

Use approved communication channels
Share information on need-to-know basis
Coordinate external communications through designated spokesperson
Document all communications
Follow legal guidance on disclosures

Don't:

Discuss incident on social media
Speculate about cause or impact
Communicate with attackers without authorization
Delete or modify potential evidence
Make statements that could create legal liability

3.8 Third-Party Incidents

When incidents involve third parties:

Notify third party per contractual obligations
Coordinate response activities
Document third party's response and cooperation
Review contractual remedies
Assess ongoing relationship risk

4. Roles and Responsibilities

Role	Responsibilities
All Employees	Report suspected incidents immediately
IT Operations	Provide technical support, preserve systems
Security Team	Lead investigation, coordinate response
CISO	Incident command, executive communication
Legal	Regulatory guidance, notification decisions
HR	Employee-related incidents, policy enforcement
Communications	Media and stakeholder communications

5. Implementation Checklist

Technical Controls

SIEM with incident detection capabilities
Endpoint Detection and Response (EDR) deployed
Forensic tools available
Secure communication channel for IRT
Evidence storage with access controls
Backup systems for recovery

Process Controls

Incident response plan documented
Playbooks for common incidents
IRT roles assigned with alternates
Contact list maintained
Escalation procedures defined
Tabletop exercises conducted annually
Post-incident review process defined

6. Evidence Requirements

Evidence Type	Description	Location	Retention
Incident Tickets	All incident records	Ticketing system	7 years
Investigation Reports	Detailed investigation documentation	Secure storage	7 years
Evidence Chain of Custody	Documentation of evidence handling	Secure storage	7 years
Post-Incident Reviews	Lessons learned documentation	Document repository	3 years
Tabletop Exercise Records	Exercise scenarios and outcomes	Document repository	3 years
Communication Records	Internal/external notifications	Email/document storage	7 years

7. Related Documents

8. Incident Categories

Category	Description
Malware	Virus, ransomware, trojan, worm
Phishing	Email-based social engineering
Unauthorized Access	Access without permission
Data Breach	Unauthorized data disclosure
DoS/DDoS	Denial of service attack
Insider Threat	Malicious or negligent insider
Physical Security	Unauthorized physical access
Third-Party	Vendor or partner compromise
Policy Violation	Internal policy breach

9. Version History

Version	Date	Author	Changes
1.0	2026-01-11	Security Team	Initial release

10. Approval

Role	Name	Signature	Date
CISO	_________________	_________________	________
CEO	_________________	_________________	________
Legal	_________________	_________________	________

This document is classified as INTERNAL. Unauthorized distribution is prohibited.