graphgrc

Incident Response Standard

Requirements for detecting, responding to, and recovering from security incidents.

Scope

All security incidents affecting confidentiality, integrity, or availability of systems or data.

Incident Severity Levels

Severity 1 (Critical)

• Active data breach or confirmed unauthorized access to Confidential/Restricted data
• Ransomware or destructive malware
• Complete service outage affecting all customers
• Response time: Immediate (page on-call)

Severity 2 (High)

• Suspected data breach under investigation
• Successful phishing with credential compromise
• Vulnerability actively being exploited
• Partial service outage
• Response time: Within 1 hour

Severity 3 (Medium)

• Security policy violation
• Malware detected and contained
• Vulnerability discovered (not exploited)
• Failed intrusion attempt
• Response time: Within 4 hours

Severity 4 (Low)

• Suspicious activity (false positive likely)
• Policy violation with minimal risk
• Response time: Within 24 hours

Detection Methods

• Automated alerts from monitoring systems (GuardDuty, SIEM)
• User reports (phishing, suspicious activity)
• Third-party notification (vendor, researcher)
• Security scanning and audits

Response Requirements

Immediate Actions

1. Contain: Isolate affected systems, revoke compromised credentials
2. Assess: Determine scope and severity
3. Notify: Alert security team, page on-call if Sev 1/2
4. Document: Create incident ticket with timeline

Investigation

• Collect logs and forensic evidence before remediation
• Identify root cause and entry vector
• Determine data/systems impacted
• Preserve evidence for potential legal action

Remediation

• Remove attacker access
• Patch vulnerabilities
• Restore from clean backups if needed
• Reset credentials for affected systems/users

Communication

• Internal: Notify leadership, affected teams
• External: Notify customers if data breach (see data-breach-response-process.md)
• Regulatory: GDPR breach notification within 72 hours if applicable

Post-Incident

• Document lessons learned
• Update runbooks and detections
• Implement preventive controls
• Security team reviews within 7 days

Evidence Retention

• All incident artifacts retained for 7 years
• Chain of custody maintained for forensic evidence

Testing

• Tabletop exercises: Quarterly
• Simulated incident response: Annually

References

• Related controls: OPS-03
• Related process: incident-response-process.md, data-breach-response-process.md
• NIST SP 800-61r2: Computer Security Incident Handling Guide

Control Mapping

• OPS-03: Incident Response ^[Severity levels, response times (immediate for Sev 1, 1hr for Sev 2), containment procedures]
• INF-03: Logging & Monitoring ^[Automated alerts from GuardDuty/SIEM for detection, log collection for investigation]
• DAT-04: Data Privacy (GDPR Compliance) ^[GDPR breach notification within 72 hours, customer notification requirements]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

This site is open source. Improve this page.