graphgrc

OPS-03: Incident Response

Objective

Respond effectively to security incidents and minimize impact.

Description

Security incident response procedures are documented and tested. Incidents are detected, contained, and remediated. Post-incident reviews are conducted. Incidents are reported as required by regulation.

Implementation Details

Detection: AWS GuardDuty, CloudWatch alarms, CrowdStrike EDR generate alerts. Employee reporting via security@company.com.

Response Process: Incident severity classification (P0-P3). On-call engineer paged for P0/P1. Incident commander assigned. War room (Slack/Zoom).

Containment: Isolate affected systems. Revoke compromised credentials. Preserve evidence for investigation.

Post-Incident: Post-incident review (PIR) within 5 days for P0/P1. Document findings, root cause, action items. Track remediation.

Examples

• GuardDuty detected compromised EC2 instance, paged on-call, instance isolated within 15 minutes
• Phishing email reported by employee, security team investigated and blocked sender
• Quarterly tabletop exercise practiced ransomware response
• 2024: 12 security incidents, all with completed PIRs and remediation action items

Audit Evidence

• Incident response policy and runbooks
• Incident log with severity, timeline, resolution
• Post-incident review documents
• Tabletop exercise documentation

---

Framework Mapping

SOC 2

• CC7.3 ^[Incident detection and response process evaluates security events and determines appropriate action]
• CC7.4 ^[Incident response procedures mitigate ongoing events and prevent future occurrences]
• CC7.5 ^[Incident communication procedures keep stakeholders informed of security events and remediation]

GDPR

• Article 33 ^[Incident response includes supervisory authority notification within 72 hours for personal data breaches]
• Article 34 ^[Process for notifying data subjects of breaches when high risk to their rights and freedoms]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

Standards:

• Incident Response Standard ^[Severity levels, response times (immediate for Sev 1, 1hr for Sev 2), containment procedures]
• Logging and Monitoring Standard ^[Security event monitoring for detection, log collection for investigation]

Processes:

• Data Breach Response Process ^[Data breach response integrates with incident response process for investigation and containment]
• Incident Response Process ^[9-step incident response: detection, assessment, containment, investigation, eradication, recovery, communication, PIR, follow-up]

Policies:

• Baseline Security Policy ^[Requires immediate reporting of security incidents, preserve evidence, follow IR team instructions]

Charter:

• Information Security Program Charter ^[Program component: incident detection, response procedures, data breach notification, post-incident reviews]
• Risk Management Strategy ^[Risk assessment triggered by security incidents in post-incident review]

This site is open source. Improve this page.