Skip to content

Instantly share code, notes, and snippets.

@sumitngupta

sumitngupta/incident_response.md

Last active February 15, 2022 23:48
Show Gist options
  • Save sumitngupta/a4e009ed5e53b7214f5f47c37c7781c9 to your computer and use it in GitHub Desktop.
Save sumitngupta/a4e009ed5e53b7214f5f47c37c7781c9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
incident_response.md

System

Our systems run on Heroku which sits on top of Amazon AWS. All systems are located in the United States availability zones. Application logs are stripped of sensitive data, collected by LogEntries, and stored for fourteen days.

Escalation & Reporting

Email support@doubleloop.app, engineering@doubleloop.app, or use the Slack channel #it_support to alert the full team of the issue using the Incident Intake Report Format template. The Response Team will add an action plan to the original intake report. The full Incident Report should contain the following:

Incident Intake Report

  • Name/Contact Person:
  • Date of Incident/First noticed:
  • IP Address breached (if any)
  • Physical location of breached system (if any) Types of data affected:
  • Detailed description of compromised files:

Incident Response Plan

  • Severity:
  • Incident Status:
  • Actions Taken:
  • Chain of custody (hardware if any): Impact Assessments:
  • Contact info (involved parties): Gathered Evidence/Data:
  • Next Steps:

Severity

Low and Medium Severity

Low and medium severity issues are incidents of suspicions and odd behaviors. They have not been verified and require further investigation. An issue assessed as Low/Medium has no indication of tangible risk and does not require an emergency response. These types of issues include but are not limited to suspicious emails, texts, and phone calls.

High Severity

High severity issues are incidents where an active exploit has not happened, but is likely. These should be addressed in the method above but with the added note of “URGENT” in the subject line or Slack message. These types of issues include newly discovered backdoors, malware, or any suspected malicious access to our systems.

Critical Severity

Critical severity issues are incidents showing active exploitation of our systems and/or data. These types of issues include but are not limited to malicious access to systems (including email,) Slack, or systems with PII such as the DoubleLoop Platform and/or our servers.

Critical issues should be handled as such be sent directly to: slt@doubleloop.app, engineering@doubleloop.app , or support@doubleloop.app, with “CRITICAL” in the subject line and posting to the #it_support Slack channel with “CRITICAL” in the message.

Response Steps

  1. For Low and Medium severity issues, the Head of Product will coordinate with the VP Engineering to assess actual severity and respond accordingly.
  2. For High and Critical Severity incidents, the full Incident Response Team will immediately convene to assess actual severity and determine a plan of action to immediately address and mitigate the existing issue.
  3. Meetings will occur daily or weekly depending on severity until the issue is resolved.
  4. A follow up retrospective will be conducted by the response team to review the incident and response, and apply any lessons learned to improve security measures and the company response process.
  5. The Incident Response Team will periodically present a report on Security Incidents to the Senior Leadership Team for review.

Reporting to Outside Parties

Depending on the sensitivity of information and severity of the breach we will, from time to time, notify third parties of any incidents on an as-needed basis.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment