security-policy-as-code-framework-model

1. Overview

This document provides the step-by-step process for all employees and contractors to report a suspected security incident. Timely and accurate reporting is critical for an effective incident response.

2. Prerequisites

3. Process Steps

  1. Discover a Potential Incident: The process begins when an employee or system discovers a potential security incident.
    • Examples: Receiving a suspicious email, noticing unusual activity on a laptop, seeing an alert from a security tool, losing a company device.
  2. Choose Reporting Channel: Select the appropriate channel based on urgency.
    • High Urgency (Active threat, system compromise in progress):
      • Action: Immediately call the 24/7 Security Operations Center (SOC) hotline at x12345.
    • Medium/Low Urgency (Suspicious email, non-critical issue):
      • Action: Email the Incident Response Team at incident.response@example.com OR post in the #security-incidents Slack channel. For suspicious emails, use the “Report Phishing” button in the email client.
  3. Provide Key Information: When making the report, provide as much detail as possible. Do not include sensitive data in the initial report (especially in Slack).
    • Required Information:
      • Your name and contact information.
      • A clear description of the suspected incident.
      • Date and time the event was observed.
      • Any systems, data, or users known to be affected.
      • (For email reports) Forward the suspicious email as an attachment.
  4. Preserve Evidence:
    • Action: Do not turn off, restart, or alter the state of an affected system. Do not delete suspicious emails or log files. Await instructions from the Incident Response Team (IRT).
  5. Await Instruction: The IRT will acknowledge your report and provide further instructions.
    • Action: Follow all instructions provided by the IRT. Do not discuss the incident with anyone outside of the response team.

4. Expected Outcomes