Incident Response Plan (IRP)
ECS Technology Solutions
Version 1.0 – Effective: 17 April 2025
1. Purpose
This Incident Response Plan (IRP) outlines the structured approach ECS Technology Solutions ("ECS", "the Company") takes to prepare for, detect, analyze, contain, eradicate, recover from, and learn from security incidents affecting our systems, services, and data, including customer environments under our management.
2. Scope
This plan applies to all security incidents involving:
- People: All employees, contractors, and relevant third parties.
- Systems: All IT infrastructure, cloud resources (AWS, Azure, M365, Google), SaaS platforms (HaloPSA, Hudu, Keeper), networks, and endpoints managed by ECS.
- Data: All company and customer data processed or stored on ECS-managed systems, particularly Personal Data as defined in the Data Protection Policy.
3. Definitions
| Term | Meaning |
|---|---|
| Security Incident | An event that violates or imminently threatens to violate security policies, acceptable use policies, or standard security practices. Examples: unauthorized access, malware infection, denial of service, data exposure. |
| Data Breach | A security incident resulting in the confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. |
| Incident Commander (IC) | The individual responsible for leading the response effort for a specific incident. Default: Information Security Manager. |
| Cyber Incident Response Team (CIRT) | A core group responsible for executing the IRP, typically including the IC, CTO, relevant Service Delivery Manager(s), and technical subject matter experts (SMEs) as needed. |
4. Roles & Responsibilities
| Role | Responsibility during Incident |
|---|---|
| Incident Commander (IC) | Leads and coordinates the CIRT, activates the plan, manages communications, tracks progress, makes tactical decisions, escalates as needed. (Default: Information Security Manager) |
| Chief Technology Officer (CTO) | Provides technical oversight, approves major technical changes (e.g., infrastructure recovery), assists with resource allocation. |
| President / CEO | Provides executive oversight, approves external communications (especially breach notifications), authorizes major expenditures or business decisions. |
| Service Delivery Managers | Act as primary liaison with affected clients, coordinate customer-specific actions, provide status updates (aligned with IC). |
| Security Operations Center (SOC) / Security Analysts | Perform initial detection, analysis, and triage; execute containment/eradication tasks under IC direction; preserve evidence. |
| Technical SMEs | Provide deep expertise on affected systems (e.g., network, cloud, M365), implement technical response actions. |
| All Staff | Report suspected incidents immediately via designated channels (e.g., internal ticket, direct SOC contact); follow IC/CIRT instructions. |
5. Incident Response Phases (NIST SP 800-61 Framework)
5.1 Preparation
- Tools & Resources: Maintain and configure security tools (SIEM, EDR, vulnerability scanners); ensure access to secure communication channels, documentation (Hudu), secrets managers (Keeper, AWS Secrets Manager), and recovery systems (Backup Vaults).
- Training: Conduct regular IRP training and tabletop exercises (ref. BC/DR Plan) for CIRT members; provide security awareness training for all staff (KnowBe4).
- Documentation: Maintain this IRP, system documentation, network diagrams, and specific response playbooks for common incident types (e.g., ransomware, phishing, DDoS).
5.2 Detection & Analysis
- Detection Sources: Monitor alerts from SIEM, EDR, cloud provider security tools (e.g., GuardDuty, Defender Platform, Microsoft Sentinel), user reports, partner notifications, threat intelligence feeds.
- Triage & Verification: SOC analyzes initial alerts/reports to determine validity and potential impact. Assign initial severity level.
- Escalation & Activation: Verified incidents are escalated to the Incident Commander (IC), who formally declares an incident and starts an incident log if none exists already.
- Analysis: CIRT analyzes scope, affected systems/data, attack vector, and potential impact to determine appropriate response strategy.
5.3 Containment, Eradication, & Recovery
- Containment Strategy: IC determines strategy (e.g., isolate affected hosts/networks, disable compromised accounts, block malicious IPs/domains) to prevent further damage.
- Eradication: Remove malware, close vulnerabilities, eliminate attacker access. This may involve rebuilding systems from trusted sources or backups.
- Recovery: Restore affected systems and data using secure backups (ref. BC/DR Plan RTO/RPO). Validate system integrity and functionality before returning to production. Monitor closely for residual threats.
- Evidence Preservation: Preserve logs, disk images, and other artifacts as needed for forensic analysis or legal requirements.
5.4 Post-Incident Activity
- Lessons Learned: Conduct a post-incident review (within 1-2 weeks) involving the CIRT and relevant stakeholders. Identify successes, failures, and areas for improvement.
- Reporting: Document the incident details, actions taken, root cause, and lessons learned. Generate internal reports and external reports if required (e.g., for clients, regulators).
- Plan Updates: Update the IRP, playbooks, security controls, and training based on lessons learned.
- Evidence Retention: Retain incident logs and evidence according to data retention policies or legal holds.
6. Incident Severity Levels
| Level | Description | Example | IC Action |
|---|---|---|---|
| Low | Minor impact, localized, no sensitive data exposure. | Single endpoint malware, contained by EDR. | Monitor, standard remediation by SOC. |
| Medium | Service degradation for some users, potential limited internal data exposure. | Successful phishing attack, limited credential compromise (contained). | Activate partial CIRT, increased monitoring. |
| High | Significant service disruption, potential sensitive data exposure, regulatory/legal implications possible. | Ransomware on multiple servers, suspected Data Breach. | Activate full CIRT, escalate to CTO/President, prepare for client/regulatory comms. |
| Critical | Widespread service outage, confirmed sensitive Data Breach, major financial/reputational impact. | Major cloud infrastructure compromise, successful large-scale data exfiltration. | Full CIRT activation, immediate President/CEO involvement, activate BC/DR Plan elements, crisis communication. |
7. Communication Plan
- Internal: CIRT uses dedicated secure channels (e.g., specific Teams channel, phone bridge). IC provides regular updates to CTO/President based on severity.
- External (Clients): Coordinated by IC and relevant Service Delivery Manager(s). Initial notification timelines and frequency depend on severity and contractual/legal requirements (ref. BC/DR Plan for baseline). Use status page and direct email (support@ecs.rocks).
- External (Regulators/Legal): For confirmed Data Breaches or other legally reportable incidents, notifications are managed by IC/CTO/President, following timelines specified in the Data Protection Policy and applicable laws.
8. Testing & Maintenance
- Testing: Conduct annual tabletop exercises simulating various incident scenarios (coordinated with BC/DR testing).
- Maintenance: Review and update this IRP at least annually, or after significant incidents or changes to infrastructure/services, by the Information Security Manager and CTO (ref. Data Protection Policy review cycle).