Lorem Ipsum is simply dummy text of the printing and typesetting industry. Learn more

Incident Response Plan

Introduction

This document offers guidance for employees or incident responders who believe they have discovered or are responding to a security incident.

Escalation

  • Email security@joinportal.com or message us on Slack.
  • Include as many specifics and details as you can.

Internal issues

When the malicious actor is an employee, contractor, vendor, or partner, please contact the Security team directly. Do not discuss the issue with other employee.

Compromised communications

If there are IT communication risks (i.e. company phones, laptops, email accounts, etc. are compromised) the team will announce an out-of-band communication tool within the office.

Response Steps

For critical issues, the response team will follow an iterative response process designed to investigate, contain the exploitation, remediate the vulnerability, and write post mortem and lessons learned documents.

  • The Security team should determine if a lawyer should be involved with attorney-client privilege
  • A “War Room” will be designated
  • The following meeting will take place at regular intervals, starting with twice per day, until the incident is resolved

Response Steps

For critical issues, the response team will follow an iterative response process designed to investigate, contain the exploitation, remediate the vulnerability, and write post mortem and lessons learned documents.

  • Update the Breach Timeline with all known data related to the incident. The timeline should detail what you’re sure the attacker did at what times.
  • Review new Indicators of Compromise with the entire group. Indicators of Compromise are anything you know belongs to the attacker: an IP address that sent data, a compromised account, a malicious file used to spearphish, etc.
  • Add new data (knowns and unknowns) to the Investigative Q&A, which is a list of questions to which, if you had answers, you’d understand everything the attacker did.
  • Update the list of Emergency Mitigations: passwords to be reset, laptops to be wiped, IPs to be banned, etc.
  • Long Term Mitigations (including Root Cause Analysis): record everything you’ll start doing so this crisis doesn’t happen again.
  • Everything Else: communications, legal issues, blog posts, status pages, etc.

Response Team Members

Marlon Misra, marlon@joinportal.com

Neil Raina, neil@joinportal.com

Required Retrospective

All incidents classified as “High” or above require a retrospective meeting and a “lessons learned” document.

Follow-ups must be completed

All incidents classified as “High” or above require follow-ups to be tasked in a task tracker and completed within a pre-determined time period.

Disciplinary Action

Employees who violate this policy may face disciplinary consequences in proportion to their violation. Portal management will determine how serious an employee’s offense is and take the appropriate action.

Responsibility

The Security team is responsible for ensuring this policy is followed.