Incident Response Template
Category: Incident Response ยท Version: 1.1 ยท Team: Policies & Procedures ยท Owner: fhsu_dude_2025
Updated 2025-12-01 19:57
Incident Response Policy
Purpose
This policy defines how security incidents within the SOC environment are detected, analyzed, contained, resolved, and documented. The goal is to ensure incidents are handled quickly, consistently, and effectively so that systems remain secure, operational, and compliant with SOC standards.
Scope
Applies to:
- SOC Analysts
- Team Leads
- System Administrators
- Security Engineers
- Anyone involved in monitoring, triage, or response activities
Covers all incident response actions related to:
- Alerts from SOC monitoring tools
- System or service outages
- Security threats or suspicious activity
- Compromised accounts or hosts
- Operational failures affecting SOC visibility or functionality
Policy Rules
1. Incident Identification
All team members must report potential incidents immediately. Incidents may be identified through:
- SOC monitoring alerts
- System logs
- Threat intelligence
- User-reported issues
- Observed abnormal behavior
- Automated detections
All incidents must be logged at the time of identification.
2. Incident Severity Levels
Incidents must be classified using one of the following severity levels:
- Low โ Minimal impact; no service disruption
- Medium โ Noticeable impact; limited scope
- High โ Major disruption or confirmed compromise
- Critical โ Severe impact to SOC operations, data, or infrastructure
Severity determines response urgency and escalation requirements.
3. Roles and Responsibilities
SOC Analysts
- Monitor alerts and identify potential incidents
- Perform initial triage
- Document early findings
- Escalate when necessary
Team Leads
- Guide incident handling within their assigned area
- Validate classification and analysis
- Coordinate containment and eradication
- Provide status updates
SOC Manager
- Oversee incident response activity
- Approve major response steps
- Coordinate communication with leadership
- Ensure complete documentation
Incident Response Personnel
- Assist with containment and eradication
- Perform technical analysis
- Support recovery tasks
4. Incident Response Process
A. Detection
- Validate whether the alert or issue qualifies as an incident
- Begin logging immediately
B. Analysis
- Identify affected systems
- Collect evidence and relevant logs
- Determine scope, impact, and root cause indicators
- Update severity level if needed
C. Containment
Short-term containment may include:
- Isolating compromised hosts
- Disabling accounts
- Blocking malicious activity
Long-term containment may include:
- Temporary policy changes
- Updated detection rules
- Additional monitoring
All containment actions require Team Lead or SOC Manager approval.
D. Eradication
- Remove malicious artifacts
- Stop harmful processes
- Fix vulnerabilities or misconfiguration
- Apply necessary patches or configurations
Only authorized personnel may perform eradication steps.
E. Recovery
Recovery actions must:
- Restore normal operations
- Validate system integrity
- Confirm monitoring and logging functionality
- Ensure SOC visibility is restored
Systems cannot return to production until verified safe.
F. Post-Incident Activities
- Complete all incident documentation
- Update incident log entries
- Conduct a post-incident review
- Recommend process, tool, or training improvements
5. Logging and Documentation
The SOC must maintain detailed records of:
- Incident timelines
- Evidence collected
- Actions taken
- Responsible personnel
- Resolution steps and follow-up tasks
Documentation must be accurate and finalized before closure.
6. Communication Requirements
During an incident:
- All updates must be posted in the designated SOC communication channel
- Major and critical issues must be communicated to the SOC Manager immediately
- High and critical incidents require leadership notification
Unauthorized sharing of incident details is prohibited.
7. Review and Analysis
Incident records must be reviewed:
- After every major incident
- Quarterly to identify patterns
- When system procedures change
- When new risks or vulnerabilities are discovered
Findings must support continuous SOC improvement.
8. Handling Response Failures
If incident handling is delayed, incorrect, or incomplete:
- Notify the SOC Manager
- Create a corrective action plan
- Perform root cause analysis
- Update documentation
- Provide additional training if needed
Critical failures must be escalated immediately.
9. Consequences for Violations
Possible consequences include:
- Loss of SOC access
- Removal from duties
- Academic or disciplinary action
Failure to follow this policy is treated seriously.
10. Exceptions
Exceptions must:
- Be formally documented
- Include justification
- Be approved by SOC management
- Include compensating controls when necessary
11. Policy Updates
This policy is reviewed at least annually or when:
- Incident response tools or processes change
- New systems are added
- Major incidents reveal weaknesses