Skip to content

Incident response

Purpose

This page defines how to detect, respond to, and recover from security incidents affecting the platform.

Scope

This process applies to the following scenarios:

  • Unauthorized access or suspected compromise
  • Data exposure or potential data leakage
  • Service disruption caused by malicious activity
  • Integrity issues affecting system or data accuracy

Objectives

  • Rapid identification and containment of security incidents
  • Protection of sensitive data and system integrity
  • Clear communication across stakeholders
  • Structured recovery and post-incident analysis
  • Alignment with compliance requirements (e.g., PCI DSS practices)

Incident classification

Severity levels

Severity 1: Critical

  • Confirmed data breach
  • Active unauthorized access
  • Major service outage impacting all users

Severity 2: High

  • Suspected compromise
  • Partial service disruption
  • Unauthorized activity with limited scope

Severity 3: Medium

  • Policy violations
  • Suspicious activity without confirmed impact

Severity 4: Low

  • Informational alerts
  • Non-impacting anomalies

Roles and responsibilities

Incident commander

Leads response efforts and coordinates decision-making.

Security lead

  • Investigates root cause
  • Determines scope and impact

Engineering team

  • Implements containment and remediation actions
  • Restores system functionality

Communications lead

  • Manages internal and external communication
  • Coordinates stakeholder updates

Incident response lifecycle

1. Detection

Incidents may be identified through:

  • Monitoring and alerting systems
  • Log analysis
  • User or partner reports
  • Automated security tools

2. Triage

  • Assess severity level
  • Validate whether the event is a true incident
  • Identify affected systems and data

3. Containment

Common containment actions include:

  • Revoking compromised credentials
  • Isolating affected services
  • Blocking malicious IP addresses
  • Disabling impacted integrations

4. Investigation

  • Analyze logs and system activity
  • Identify entry point and attack vector
  • Determine scope of impact
  • Confirm whether data was accessed or altered

5. Eradication

  • Remove malicious artifacts
  • Patch vulnerabilities
  • Rotate credentials and keys
  • Apply security fixes

6. Recovery

  • Restore services to normal operation
  • Validate system integrity
  • Monitor for recurrence

7. Post-incident review

  • Document root cause
  • Identify gaps in detection or response
  • Define corrective actions
  • Update documentation and controls

Communication guidelines

Internal communication

  • Notify stakeholders based on severity level
  • Provide regular status updates during active incidents
  • Maintain a centralized incident log

External communication

  • Notify stakeholders based on severity
  • Provide regular status updates
  • Maintain a centralized incident log

Data handling

  • Prioritize protection of sensitive and regulated data
  • Limit access to incident data to authorized personnel only
  • Maintain audit logs for all response actions

Escalation criteria

Escalate immediately if:

  • Sensitive data is suspected to be exposed
  • Incident scope is unclear or expanding
  • Service disruption impacts critical functionality
  • Regulatory reporting may be required

Tools

  • Application and system logs
  • Monitoring and alerting dashboards
  • Audit trails
  • Incident tracking records

Post-incident deliverables

  • Incident summary report
  • Timeline of events
  • Root cause analysis
  • Remediation actions taken
  • Recommendations for prevention
  • Data handling policy
  • Access control standards
  • System architecture documentation
  • Operational runbooks