1.3 KiB
1.3 KiB
Incident Response Procedure
Version: 1.2 | Owner: SOC | Classification: Internal
Severity classification
| Level | Description | Initial Response Time | War room |
|---|---|---|---|
| P1 | Active breach / data exfiltration | 15 minutes | Mandatory |
| P2 | Suspected compromise / malware | 1 hour | If needed |
| P3 | Security anomaly / suspicious activity | 4 hours | No |
| P4 | Policy violation / low risk | Next business day | No |
P1 / P2 response steps
- Contain — isolate affected systems immediately
- Preserve — snapshot disks, preserve logs before remediation
- Notify — CISO, legal, communications lead
- Investigate — forensic analysis, determine scope
- Eradicate — remove threat actor access
- Recover — restore from clean backups
- Lessons learned — post-incident review within 2 weeks
Contacts
- SOC hotline: +49 69 123 456 (24/7)
- CISO: direct mobile (see 1Password "emergency contacts")
- Legal: legal@nexus.local
Regulatory notification requirements
For incidents involving personal data, the supervisory authority (BfDI) must be notified within 72 hours if the breach is likely to result in a risk to individuals. Contact DPO immediately upon any P1 involving customer data.