# Incident Response Procedure **Version:** 1.2 | **Owner:** SOC | **Classification:** Internal ## Severity classification | Level | Description | Initial Response Time | War room | |-------|-------------|----------------------|---------| | P1 | Active breach / data exfiltration | 15 minutes | Mandatory | | P2 | Suspected compromise / malware | 1 hour | If needed | | P3 | Security anomaly / suspicious activity | 4 hours | No | | P4 | Policy violation / low risk | Next business day | No | ## P1 / P2 response steps 1. **Contain** — isolate affected systems immediately 2. **Preserve** — snapshot disks, preserve logs before remediation 3. **Notify** — CISO, legal, communications lead 4. **Investigate** — forensic analysis, determine scope 5. **Eradicate** — remove threat actor access 6. **Recover** — restore from clean backups 7. **Lessons learned** — post-incident review within 2 weeks ## Contacts - SOC hotline: +49 69 123 456 (24/7) - CISO: direct mobile (see 1Password "emergency contacts") - Legal: legal@nexus.local