atomicai/it-infrastructure
Template
1
0
Copy 0
Documents Lab Tickets Change Requests Projects Wiki Activity
Files
438adf6f4f301677289e6388653ab3dfcf478c60
it-infrastructure/SOPs/Incident-Response/SOP-INC-001-Incident-Response.md

4.9 KiB
Original text Edit trail Version history
File Word PDF

Standard Operating Procedure: Security Incident Response

Document ID SOP-INC-001
Title Security Incident Response Procedure
Revision 1.0
Effective Date [DATE]
Author [AUTHOR]
Approved By [APPROVER]
Department IT Security

1. Purpose

To establish a structured approach for detecting, responding to, containing, and recovering from security incidents to minimize impact and prevent recurrence.

2. Scope

This procedure applies to all security incidents including:

  • Unauthorized access attempts
  • Malware infections
  • Data breaches
  • Denial of service attacks
  • Phishing attacks
  • Lost or stolen devices
  • Insider threats
  • System compromises

3. Responsibilities

3.1 All Staff

  • Report suspected incidents immediately
  • Preserve evidence (do not turn off systems unless directed)
  • Follow instructions from incident response team

3.2 IT Security Team

  • Triage and classify incidents
  • Lead response efforts
  • Coordinate with stakeholders

3.3 Incident Response Manager

  • Authorize containment actions
  • Escalate to management as needed
  • Coordinate external communications

4. Incident Classification

Severity Criteria Response Time
Critical Active breach, data exfiltration, ransomware Immediate
High Confirmed compromise, malware spreading < 1 hour
Medium Attempted intrusion, isolated malware < 4 hours
Low Policy violation, suspicious activity < 24 hours

5. Incident Response Phases

5.1 Phase 1: Detection and Reporting

Detection Sources:

  • Security monitoring tools (SIEM, IDS/IPS)
  • User reports
  • Vendor notifications
  • Audit findings
  • Automated alerts

Reporting:

  1. Document initial observations
  2. Report via security hotline or email
  3. Complete FRM-INC-001 Incident Report
  4. Do NOT attempt remediation without guidance

5.2 Phase 2: Triage and Analysis

  1. Initial Assessment

    • Confirm incident is genuine (vs. false positive)
    • Classify severity level
    • Identify affected systems/data
    • Determine initial scope

  2. Evidence Collection

    • System logs
    • Network traffic captures
    • Memory dumps (if warranted)
    • Screenshots
    • Preserve chain of custody

  3. Escalation Decision

    • Critical/High: Immediate escalation to management
    • Notify legal/compliance if data breach suspected
    • Engage external forensics if needed

5.3 Phase 3: Containment

Short-term Containment:

  • Isolate affected systems from network
  • Block malicious IPs/domains
  • Disable compromised accounts
  • Preserve evidence before changes

Long-term Containment:

  • Apply temporary fixes
  • Increase monitoring
  • Implement additional controls
  • Prepare for eradication

Containment Decision Matrix:

Action Authority Required
Isolate single workstation Security Team
Disable user account Security Manager
Block network segment IT Director
Shut down production system Executive approval

5.4 Phase 4: Eradication

  1. Identify root cause
  2. Remove malware/backdoors
  3. Patch vulnerabilities exploited
  4. Reset compromised credentials
  5. Verify removal is complete

5.5 Phase 5: Recovery

  1. Restore systems from clean backups
  2. Rebuild if necessary
  3. Verify integrity before reconnecting
  4. Monitor closely post-recovery
  5. Confirm normal operations

5.6 Phase 6: Post-Incident Review

Conduct within 5 business days:

  • Timeline reconstruction
  • Root cause analysis
  • Response effectiveness review
  • Lessons learned
  • Improvement recommendations

Documentation:

  • Complete FRM-INC-002 Post-Incident Report
  • Update procedures as needed
  • Brief stakeholders

6. Communication Guidelines

Internal Communication

Audience Information Method
Executive Team Status, business impact, decisions needed Phone/meeting
IT Staff Technical details, actions required Secure channel
All Staff General awareness (if warranted) Email

External Communication

  • All external communications through designated spokesperson
  • Coordinate with Legal and PR
  • Regulatory notifications per compliance requirements
  • Customer notifications per contract/law

7. Regulatory Notification Requirements

Regulation Notification Timeframe Authority
HIPAA 60 days (breach of >500) HHS OCR
GDPR 72 hours Supervisory Authority
PCI DSS Immediately Card brands, acquirer
State Laws Varies State AG

8. Related Documents

  • FRM-INC-001 Incident Report Form
  • FRM-INC-002 Post-Incident Report
  • Contact list for incident response team
  • Vendor/partner contact list

Revision History

Rev Date Description Author
1.0 [DATE] Initial release [AUTHOR]
Reference in New Lab Ticket View Edit trail Copy Permalink