28 lines
1 KiB
Markdown
28 lines
1 KiB
Markdown
# Incident Response Procedure
|
|
|
|
**Version:** 1.2 | **Owner:** SOC | **Classification:** Internal
|
|
|
|
## Severity classification
|
|
|
|
| Level | Description | Initial Response Time | War room |
|
|
|-------|-------------|----------------------|---------|
|
|
| P1 | Active breach / data exfiltration | 15 minutes | Mandatory |
|
|
| P2 | Suspected compromise / malware | 1 hour | If needed |
|
|
| P3 | Security anomaly / suspicious activity | 4 hours | No |
|
|
| P4 | Policy violation / low risk | Next business day | No |
|
|
|
|
## P1 / P2 response steps
|
|
|
|
1. **Contain** — isolate affected systems immediately
|
|
2. **Preserve** — snapshot disks, preserve logs before remediation
|
|
3. **Notify** — CISO, legal, communications lead
|
|
4. **Investigate** — forensic analysis, determine scope
|
|
5. **Eradicate** — remove threat actor access
|
|
6. **Recover** — restore from clean backups
|
|
7. **Lessons learned** — post-incident review within 2 weeks
|
|
|
|
## Contacts
|
|
|
|
- SOC hotline: +49 69 123 456 (24/7)
|
|
- CISO: direct mobile (see 1Password "emergency contacts")
|
|
- Legal: legal@nexus.local
|