Add incident response procedure v1.2
This commit is contained in:
parent
43db8c2395
commit
4b3192bc0f
1 changed files with 28 additions and 0 deletions
28
procedures/incident-response.md
Normal file
28
procedures/incident-response.md
Normal file
|
|
@ -0,0 +1,28 @@
|
||||||
|
# Incident Response Procedure
|
||||||
|
|
||||||
|
**Version:** 1.2 | **Owner:** SOC | **Classification:** Internal
|
||||||
|
|
||||||
|
## Severity classification
|
||||||
|
|
||||||
|
| Level | Description | Initial Response Time | War room |
|
||||||
|
|-------|-------------|----------------------|---------|
|
||||||
|
| P1 | Active breach / data exfiltration | 15 minutes | Mandatory |
|
||||||
|
| P2 | Suspected compromise / malware | 1 hour | If needed |
|
||||||
|
| P3 | Security anomaly / suspicious activity | 4 hours | No |
|
||||||
|
| P4 | Policy violation / low risk | Next business day | No |
|
||||||
|
|
||||||
|
## P1 / P2 response steps
|
||||||
|
|
||||||
|
1. **Contain** — isolate affected systems immediately
|
||||||
|
2. **Preserve** — snapshot disks, preserve logs before remediation
|
||||||
|
3. **Notify** — CISO, legal, communications lead
|
||||||
|
4. **Investigate** — forensic analysis, determine scope
|
||||||
|
5. **Eradicate** — remove threat actor access
|
||||||
|
6. **Recover** — restore from clean backups
|
||||||
|
7. **Lessons learned** — post-incident review within 2 weeks
|
||||||
|
|
||||||
|
## Contacts
|
||||||
|
|
||||||
|
- SOC hotline: +49 69 123 456 (24/7)
|
||||||
|
- CISO: direct mobile (see 1Password "emergency contacts")
|
||||||
|
- Legal: legal@nexus.local
|
||||||
Loading…
Reference in a new issue