diff --git a/procedures/incident-response.md b/procedures/incident-response.md new file mode 100644 index 0000000..669e712 --- /dev/null +++ b/procedures/incident-response.md @@ -0,0 +1,28 @@ +# Incident Response Procedure + +**Version:** 1.2 | **Owner:** SOC | **Classification:** Internal + +## Severity classification + +| Level | Description | Initial Response Time | War room | +|-------|-------------|----------------------|---------| +| P1 | Active breach / data exfiltration | 15 minutes | Mandatory | +| P2 | Suspected compromise / malware | 1 hour | If needed | +| P3 | Security anomaly / suspicious activity | 4 hours | No | +| P4 | Policy violation / low risk | Next business day | No | + +## P1 / P2 response steps + +1. **Contain** — isolate affected systems immediately +2. **Preserve** — snapshot disks, preserve logs before remediation +3. **Notify** — CISO, legal, communications lead +4. **Investigate** — forensic analysis, determine scope +5. **Eradicate** — remove threat actor access +6. **Recover** — restore from clean backups +7. **Lessons learned** — post-incident review within 2 weeks + +## Contacts + +- SOC hotline: +49 69 123 456 (24/7) +- CISO: direct mobile (see 1Password "emergency contacts") +- Legal: legal@nexus.local