1. Overview
This policy establishes the framework for responding to security incidents in a coordinated and effective manner. The goal is to minimize the impact of incidents, restore normal operations as quickly as possible, and prevent future occurrences.
2. Scope
This policy applies to all employees, contractors, and third parties, and it covers all security incidents involving company assets, data, or personnel. A security incident is any event that compromises the confidentiality, integrity, or availability of our systems or data.
3. Policy Statements
- PS-1: Incident Response Team (IRT): A dedicated Incident Response Team (IRT) is established and maintained with clearly defined roles, responsibilities, and authority to manage security incidents.
- PS-2: Incident Response Lifecycle: The incident response process must follow the standard lifecycle: Preparation, Detection & Analysis, Containment, Eradication, and Recovery.
- PS-3: Incident Reporting: All suspected security incidents must be reported immediately to the IRT in accordance with the
incident-reporting-process.md.
- PS-4: Post-Incident Review: All security incidents must undergo a post-incident review (post-mortem) to identify the root cause and lessons learned. The results must be used to improve security controls and processes.
- PS-5: Communication: The IRT is responsible for managing all internal and external communications related to a security incident, in coordination with Legal, HR, and Corporate Communications.
4. Roles and Responsibilities
- Incident Response Team (IRT): The IRT has overall responsibility for managing the incident response lifecycle.
- Security Operations Center (SOC): Responsible for initial detection, analysis, and escalation of potential incidents.
- Legal & HR Teams: Provide guidance on legal, regulatory, and employee-related matters during an incident.
- All Employees: Responsible for immediately reporting any suspected security incidents.
5. Compliance
- Measurement: Compliance with this policy will be measured by tracking incident response metrics (e.g., time to detect, time to contain) and through regular tabletop exercises and simulations.
- Exceptions: Any exception to this policy must be formally documented and approved by the Head of Incident Response and the CISO.
- Enforcement: Failure to report a known security incident or obstructing an investigation may result in disciplinary action.
Applicable Controls
- ISO 27001: A.16.1
- SOC 2: CC7.3
- NIST CSF: DE.CM-8, DE.AE-2