# Standard Operating Procedure: Security Incident Response

| Document ID | SOP-INC-001 |
|-------------|-------------|
| Title | Security Incident Response Procedure |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | IT Security |

---

## 1. Purpose

To establish a structured approach for detecting, responding to, containing, and recovering from security incidents to minimize impact and prevent recurrence.

## 2. Scope

This procedure applies to all security incidents including:
- Unauthorized access attempts
- Malware infections
- Data breaches
- Denial of service attacks
- Phishing attacks
- Lost or stolen devices
- Insider threats
- System compromises

## 3. Responsibilities

### 3.1 All Staff
- Report suspected incidents immediately
- Preserve evidence (do not turn off systems unless directed)
- Follow instructions from incident response team

### 3.2 IT Security Team
- Triage and classify incidents
- Lead response efforts
- Coordinate with stakeholders

### 3.3 Incident Response Manager
- Authorize containment actions
- Escalate to management as needed
- Coordinate external communications

## 4. Incident Classification

| Severity | Criteria | Response Time |
|----------|----------|---------------|
| Critical | Active breach, data exfiltration, ransomware | Immediate |
| High | Confirmed compromise, malware spreading | < 1 hour |
| Medium | Attempted intrusion, isolated malware | < 4 hours |
| Low | Policy violation, suspicious activity | < 24 hours |

## 5. Incident Response Phases

### 5.1 Phase 1: Detection and Reporting

**Detection Sources:**
- Security monitoring tools (SIEM, IDS/IPS)
- User reports
- Vendor notifications
- Audit findings
- Automated alerts

**Reporting:**
1. Document initial observations
2. Report via security hotline or email
3. Complete FRM-INC-001 Incident Report
4. Do NOT attempt remediation without guidance

### 5.2 Phase 2: Triage and Analysis

1. **Initial Assessment**
   - Confirm incident is genuine (vs. false positive)
   - Classify severity level
   - Identify affected systems/data
   - Determine initial scope

2. **Evidence Collection**
   - System logs
   - Network traffic captures
   - Memory dumps (if warranted)
   - Screenshots
   - Preserve chain of custody

3. **Escalation Decision**
   - Critical/High: Immediate escalation to management
   - Notify legal/compliance if data breach suspected
   - Engage external forensics if needed

### 5.3 Phase 3: Containment

**Short-term Containment:**
- Isolate affected systems from network
- Block malicious IPs/domains
- Disable compromised accounts
- Preserve evidence before changes

**Long-term Containment:**
- Apply temporary fixes
- Increase monitoring
- Implement additional controls
- Prepare for eradication

**Containment Decision Matrix:**
| Action | Authority Required |
|--------|-------------------|
| Isolate single workstation | Security Team |
| Disable user account | Security Manager |
| Block network segment | IT Director |
| Shut down production system | Executive approval |

### 5.4 Phase 4: Eradication

1. Identify root cause
2. Remove malware/backdoors
3. Patch vulnerabilities exploited
4. Reset compromised credentials
5. Verify removal is complete

### 5.5 Phase 5: Recovery

1. Restore systems from clean backups
2. Rebuild if necessary
3. Verify integrity before reconnecting
4. Monitor closely post-recovery
5. Confirm normal operations

### 5.6 Phase 6: Post-Incident Review

**Conduct within 5 business days:**
- Timeline reconstruction
- Root cause analysis
- Response effectiveness review
- Lessons learned
- Improvement recommendations

**Documentation:**
- Complete FRM-INC-002 Post-Incident Report
- Update procedures as needed
- Brief stakeholders

## 6. Communication Guidelines

### Internal Communication
| Audience | Information | Method |
|----------|-------------|--------|
| Executive Team | Status, business impact, decisions needed | Phone/meeting |
| IT Staff | Technical details, actions required | Secure channel |
| All Staff | General awareness (if warranted) | Email |

### External Communication
- All external communications through designated spokesperson
- Coordinate with Legal and PR
- Regulatory notifications per compliance requirements
- Customer notifications per contract/law

## 7. Regulatory Notification Requirements

| Regulation | Notification Timeframe | Authority |
|------------|----------------------|-----------|
| HIPAA | 60 days (breach of >500) | HHS OCR |
| GDPR | 72 hours | Supervisory Authority |
| PCI DSS | Immediately | Card brands, acquirer |
| State Laws | Varies | State AG |

## 8. Related Documents

- FRM-INC-001 Incident Report Form
- FRM-INC-002 Post-Incident Report
- Contact list for incident response team
- Vendor/partner contact list

---

## Revision History

| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |