Incident Classification
| Severity | Description | Response Time |
|---|---|---|
| SEV1 - Critical | Active breach, data exfiltration, ransomware | Immediate |
| SEV2 - High | Confirmed compromise, system unavailability | Within 1 hour |
| SEV3 - Medium | Suspicious activity, failed attack attempts | Within 4 hours |
| SEV4 - Low | Policy violations, minor security events | Next business day |
Escalation Contacts
- Primary IR Lead: [Name, Phone, Email]
- Secondary IR Lead: [Name, Phone, Email]
- IT Director: [Name, Phone, Email]
- CISO: [Name, Phone, Email]
- Legal Counsel: [Name, Phone, Email]
- Communications: [Name, Phone, Email]
Phase 1: Detection & Analysis
- ☐ Validate the alert/report is a real incident
- ☐ Determine scope and affected systems
- ☐ Classify incident severity
- ☐ Begin incident documentation
- ☐ Notify appropriate stakeholders
Phase 2: Containment
- ☐ Implement short-term containment measures
- ☐ Preserve evidence for analysis
- ☐ Isolate affected systems if needed
- ☐ Block malicious indicators (IPs, domains, hashes)
- ☐ Document all containment actions
Phase 3: Eradication
- ☐ Identify root cause
- ☐ Remove malware and backdoors
- ☐ Reset compromised credentials
- ☐ Patch vulnerabilities exploited
- ☐ Verify eradication is complete
Phase 4: Recovery
- ☐ Restore systems from clean backups
- ☐ Implement additional monitoring
- ☐ Gradually restore services
- ☐ Verify normal operations
- ☐ Continue enhanced monitoring period
Phase 5: Post-Incident
- ☐ Conduct lessons learned meeting
- ☐ Complete incident report
- ☐ Update playbooks based on findings
- ☐ Implement preventive measures
- ☐ Brief stakeholders on outcomes