183 lines
4.9 KiB
Markdown
183 lines
4.9 KiB
Markdown
# Standard Operating Procedure: Security Incident Response
|
|
|
|
| Document ID | SOP-INC-001 |
|
|
|-------------|-------------|
|
|
| Title | Security Incident Response Procedure |
|
|
| Revision | 1.0 |
|
|
| Effective Date | [DATE] |
|
|
| Author | [AUTHOR] |
|
|
| Approved By | [APPROVER] |
|
|
| Department | IT Security |
|
|
|
|
---
|
|
|
|
## 1. Purpose
|
|
|
|
To establish a structured approach for detecting, responding to, containing, and recovering from security incidents to minimize impact and prevent recurrence.
|
|
|
|
## 2. Scope
|
|
|
|
This procedure applies to all security incidents including:
|
|
- Unauthorized access attempts
|
|
- Malware infections
|
|
- Data breaches
|
|
- Denial of service attacks
|
|
- Phishing attacks
|
|
- Lost or stolen devices
|
|
- Insider threats
|
|
- System compromises
|
|
|
|
## 3. Responsibilities
|
|
|
|
### 3.1 All Staff
|
|
- Report suspected incidents immediately
|
|
- Preserve evidence (do not turn off systems unless directed)
|
|
- Follow instructions from incident response team
|
|
|
|
### 3.2 IT Security Team
|
|
- Triage and classify incidents
|
|
- Lead response efforts
|
|
- Coordinate with stakeholders
|
|
|
|
### 3.3 Incident Response Manager
|
|
- Authorize containment actions
|
|
- Escalate to management as needed
|
|
- Coordinate external communications
|
|
|
|
## 4. Incident Classification
|
|
|
|
| Severity | Criteria | Response Time |
|
|
|----------|----------|---------------|
|
|
| Critical | Active breach, data exfiltration, ransomware | Immediate |
|
|
| High | Confirmed compromise, malware spreading | < 1 hour |
|
|
| Medium | Attempted intrusion, isolated malware | < 4 hours |
|
|
| Low | Policy violation, suspicious activity | < 24 hours |
|
|
|
|
## 5. Incident Response Phases
|
|
|
|
### 5.1 Phase 1: Detection and Reporting
|
|
|
|
**Detection Sources:**
|
|
- Security monitoring tools (SIEM, IDS/IPS)
|
|
- User reports
|
|
- Vendor notifications
|
|
- Audit findings
|
|
- Automated alerts
|
|
|
|
**Reporting:**
|
|
1. Document initial observations
|
|
2. Report via security hotline or email
|
|
3. Complete FRM-INC-001 Incident Report
|
|
4. Do NOT attempt remediation without guidance
|
|
|
|
### 5.2 Phase 2: Triage and Analysis
|
|
|
|
1. **Initial Assessment**
|
|
- Confirm incident is genuine (vs. false positive)
|
|
- Classify severity level
|
|
- Identify affected systems/data
|
|
- Determine initial scope
|
|
|
|
2. **Evidence Collection**
|
|
- System logs
|
|
- Network traffic captures
|
|
- Memory dumps (if warranted)
|
|
- Screenshots
|
|
- Preserve chain of custody
|
|
|
|
3. **Escalation Decision**
|
|
- Critical/High: Immediate escalation to management
|
|
- Notify legal/compliance if data breach suspected
|
|
- Engage external forensics if needed
|
|
|
|
### 5.3 Phase 3: Containment
|
|
|
|
**Short-term Containment:**
|
|
- Isolate affected systems from network
|
|
- Block malicious IPs/domains
|
|
- Disable compromised accounts
|
|
- Preserve evidence before changes
|
|
|
|
**Long-term Containment:**
|
|
- Apply temporary fixes
|
|
- Increase monitoring
|
|
- Implement additional controls
|
|
- Prepare for eradication
|
|
|
|
**Containment Decision Matrix:**
|
|
| Action | Authority Required |
|
|
|--------|-------------------|
|
|
| Isolate single workstation | Security Team |
|
|
| Disable user account | Security Manager |
|
|
| Block network segment | IT Director |
|
|
| Shut down production system | Executive approval |
|
|
|
|
### 5.4 Phase 4: Eradication
|
|
|
|
1. Identify root cause
|
|
2. Remove malware/backdoors
|
|
3. Patch vulnerabilities exploited
|
|
4. Reset compromised credentials
|
|
5. Verify removal is complete
|
|
|
|
### 5.5 Phase 5: Recovery
|
|
|
|
1. Restore systems from clean backups
|
|
2. Rebuild if necessary
|
|
3. Verify integrity before reconnecting
|
|
4. Monitor closely post-recovery
|
|
5. Confirm normal operations
|
|
|
|
### 5.6 Phase 6: Post-Incident Review
|
|
|
|
**Conduct within 5 business days:**
|
|
- Timeline reconstruction
|
|
- Root cause analysis
|
|
- Response effectiveness review
|
|
- Lessons learned
|
|
- Improvement recommendations
|
|
|
|
**Documentation:**
|
|
- Complete FRM-INC-002 Post-Incident Report
|
|
- Update procedures as needed
|
|
- Brief stakeholders
|
|
|
|
## 6. Communication Guidelines
|
|
|
|
### Internal Communication
|
|
| Audience | Information | Method |
|
|
|----------|-------------|--------|
|
|
| Executive Team | Status, business impact, decisions needed | Phone/meeting |
|
|
| IT Staff | Technical details, actions required | Secure channel |
|
|
| All Staff | General awareness (if warranted) | Email |
|
|
|
|
### External Communication
|
|
- All external communications through designated spokesperson
|
|
- Coordinate with Legal and PR
|
|
- Regulatory notifications per compliance requirements
|
|
- Customer notifications per contract/law
|
|
|
|
## 7. Regulatory Notification Requirements
|
|
|
|
| Regulation | Notification Timeframe | Authority |
|
|
|------------|----------------------|-----------|
|
|
| HIPAA | 60 days (breach of >500) | HHS OCR |
|
|
| GDPR | 72 hours | Supervisory Authority |
|
|
| PCI DSS | Immediately | Card brands, acquirer |
|
|
| State Laws | Varies | State AG |
|
|
|
|
## 8. Related Documents
|
|
|
|
- FRM-INC-001 Incident Report Form
|
|
- FRM-INC-002 Post-Incident Report
|
|
- Contact list for incident response team
|
|
- Vendor/partner contact list
|
|
|
|
---
|
|
|
|
## Revision History
|
|
|
|
| Rev | Date | Description | Author |
|
|
|-----|------|-------------|--------|
|
|
| 1.0 | [DATE] | Initial release | [AUTHOR] |
|