Sync template from atomicqms-style deployment

2025-12-27 11:24:11 -05:00
parent 5d75fcdd58
commit 438adf6f4f
28 changed files with 1899 additions and 2 deletions
--- a/SOPs/Incident-Response/SOP-INC-001-Incident-Response.md
+++ b/SOPs/Incident-Response/SOP-INC-001-Incident-Response.md
@@ -0,0 +1,182 @@
+# Standard Operating Procedure: Security Incident Response
+
+| Document ID | SOP-INC-001 |
+|-------------|-------------|
+| Title | Security Incident Response Procedure |
+| Revision | 1.0 |
+| Effective Date | [DATE] |
+| Author | [AUTHOR] |
+| Approved By | [APPROVER] |
+| Department | IT Security |
+
+---
+
+## 1. Purpose
+
+To establish a structured approach for detecting, responding to, containing, and recovering from security incidents to minimize impact and prevent recurrence.
+
+## 2. Scope
+
+This procedure applies to all security incidents including:
+- Unauthorized access attempts
+- Malware infections
+- Data breaches
+- Denial of service attacks
+- Phishing attacks
+- Lost or stolen devices
+- Insider threats
+- System compromises
+
+## 3. Responsibilities
+
+### 3.1 All Staff
+- Report suspected incidents immediately
+- Preserve evidence (do not turn off systems unless directed)
+- Follow instructions from incident response team
+
+### 3.2 IT Security Team
+- Triage and classify incidents
+- Lead response efforts
+- Coordinate with stakeholders
+
+### 3.3 Incident Response Manager
+- Authorize containment actions
+- Escalate to management as needed
+- Coordinate external communications
+
+## 4. Incident Classification
+
+| Severity | Criteria | Response Time |
+|----------|----------|---------------|
+| Critical | Active breach, data exfiltration, ransomware | Immediate |
+| High | Confirmed compromise, malware spreading | < 1 hour |
+| Medium | Attempted intrusion, isolated malware | < 4 hours |
+| Low | Policy violation, suspicious activity | < 24 hours |
+
+## 5. Incident Response Phases
+
+### 5.1 Phase 1: Detection and Reporting
+
+**Detection Sources:**
+- Security monitoring tools (SIEM, IDS/IPS)
+- User reports
+- Vendor notifications
+- Audit findings
+- Automated alerts
+
+**Reporting:**
+1. Document initial observations
+2. Report via security hotline or email
+3. Complete FRM-INC-001 Incident Report
+4. Do NOT attempt remediation without guidance
+
+### 5.2 Phase 2: Triage and Analysis
+
+1. **Initial Assessment**
+   - Confirm incident is genuine (vs. false positive)
+   - Classify severity level
+   - Identify affected systems/data
+   - Determine initial scope
+
+2. **Evidence Collection**
+   - System logs
+   - Network traffic captures
+   - Memory dumps (if warranted)
+   - Screenshots
+   - Preserve chain of custody
+
+3. **Escalation Decision**
+   - Critical/High: Immediate escalation to management
+   - Notify legal/compliance if data breach suspected
+   - Engage external forensics if needed
+
+### 5.3 Phase 3: Containment
+
+**Short-term Containment:**
+- Isolate affected systems from network
+- Block malicious IPs/domains
+- Disable compromised accounts
+- Preserve evidence before changes
+
+**Long-term Containment:**
+- Apply temporary fixes
+- Increase monitoring
+- Implement additional controls
+- Prepare for eradication
+
+**Containment Decision Matrix:**
+| Action | Authority Required |
+|--------|-------------------|
+| Isolate single workstation | Security Team |
+| Disable user account | Security Manager |
+| Block network segment | IT Director |
+| Shut down production system | Executive approval |
+
+### 5.4 Phase 4: Eradication
+
+1. Identify root cause
+2. Remove malware/backdoors
+3. Patch vulnerabilities exploited
+4. Reset compromised credentials
+5. Verify removal is complete
+
+### 5.5 Phase 5: Recovery
+
+1. Restore systems from clean backups
+2. Rebuild if necessary
+3. Verify integrity before reconnecting
+4. Monitor closely post-recovery
+5. Confirm normal operations
+
+### 5.6 Phase 6: Post-Incident Review
+
+**Conduct within 5 business days:**
+- Timeline reconstruction
+- Root cause analysis
+- Response effectiveness review
+- Lessons learned
+- Improvement recommendations
+
+**Documentation:**
+- Complete FRM-INC-002 Post-Incident Report
+- Update procedures as needed
+- Brief stakeholders
+
+## 6. Communication Guidelines
+
+### Internal Communication
+| Audience | Information | Method |
+|----------|-------------|--------|
+| Executive Team | Status, business impact, decisions needed | Phone/meeting |
+| IT Staff | Technical details, actions required | Secure channel |
+| All Staff | General awareness (if warranted) | Email |
+
+### External Communication
+- All external communications through designated spokesperson
+- Coordinate with Legal and PR
+- Regulatory notifications per compliance requirements
+- Customer notifications per contract/law
+
+## 7. Regulatory Notification Requirements
+
+| Regulation | Notification Timeframe | Authority |
+|------------|----------------------|-----------|
+| HIPAA | 60 days (breach of >500) | HHS OCR |
+| GDPR | 72 hours | Supervisory Authority |
+| PCI DSS | Immediately | Card brands, acquirer |
+| State Laws | Varies | State AG |
+
+## 8. Related Documents
+
+- FRM-INC-001 Incident Report Form
+- FRM-INC-002 Post-Incident Report
+- Contact list for incident response team
+- Vendor/partner contact list
+
+---
+
+## Revision History
+
+| Rev | Date | Description | Author |
+|-----|------|-------------|--------|
+| 1.0 | [DATE] | Initial release | [AUTHOR] |