Owner: CISO / SOC Manager · Policy: Incident Response Policy v3.1 · Review Cycle: Annual + post-incident
This page documents the organisation's Incident Response (IR) framework, severity classification, escalation paths, and response playbooks. All security incidents are managed through ServiceNow Security Incident Response (SIR) and coordinated by the SOC.
The IR process follows the NIST SP 800-61r2 framework: Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity.
| Severity | Criteria | Examples |
|---|---|---|
| P1 — Critical | Active breach, ransomware deployment, large-scale data exfiltration, Tier 1 system outage with suspected malicious cause | Ransomware spreading across DC, confirmed data theft, C2 comms to executive device |
| P2 — High | Confirmed attacker presence (not yet contained), account takeover with data access, compromised privileged account | Admin account taken over, attacker on one server, insider data theft confirmed |
| P3 — Medium | Suspicious activity with moderate confidence, single endpoint compromise (contained), phishing with credential harvest | Isolated malware, one user credential phished + reset, suspicious cloud API access |
| P4 — Low | Informational, false-positive-likely, policy violation, malware blocked before execution | AV blocked and quarantined, AUP violation, suspicious login from VPN |
DETECT (Alert in Sentinel / Manual report)
│
▼
TRIAGE (SOC L1 — ServiceNow SIR ticket raised)
│
├── P4/P3 → L1 handles, L2 on call
└── P2/P1 → Immediate L2 escalation
│
▼
DECLARE INCIDENT (SOC Manager notified)
│
├── P1 → CISO, Legal, Comms notified within 15 min
└── P2 → SOC Manager owns
│
▼
CONTAIN (isolate, block, disable)
│
▼
ERADICATE (remove attacker tooling, patch vuln)
│
▼
RECOVER (restore, validate, monitor)
│
▼
POST-INCIDENT REVIEW (PIR — within 5 business days)
| Role | Primary Contact | Out-of-Hours |
|---|---|---|
| SOC L2 (on-call) | #soc-team |
PagerDuty rotation |
| SOC Manager | Via PagerDuty | PagerDuty P1 escalation |
| CISO | Via SOC Manager | Mobile (in PagerDuty) |
| Legal / DPO | legal@company.com |
Mobile (in PagerDuty) |
| Communications | comms@company.com |
On-call mobile |
| External MDR | MDR hotline: +44 XXX XXX XXXX | 24/7 |
| Law Enforcement Liaison | Via CISO | Via CISO |
Trigger: Mass file encryption alerts, ransomware note detected, MDE alerts on known ransomware binary.
Immediate Actions (within 15 minutes):
Investigation (within 2 hours):
Eradication & Recovery:
Communication:
Trigger: Impossible travel alert, MFA fatigue push accepted from unusual location, Entra ID risk: High.
Revoke-MgUserSignInSession).| Regulation | Trigger | Notification Deadline | Recipient |
|---|---|---|---|
| GDPR / UK DPA 2018 | Personal data breach — high risk to individuals | 72 hours from awareness | ICO (UK) |
| GDPR / EU | Personal data breach | 72 hours from awareness | Lead supervisory authority |
| PCI DSS | Cardholder data involved | Immediately | Acquiring bank + card brands |
| NIS2 (if applicable) | Significant incident on in-scope systems | 24 hours (early warning), 72 hours (full notification) | NCSC / Competent authority |
Every P1 and P2 incident requires a PIR within 5 business days of closure. PIR outputs:
| Section | Content |
|---|---|
| Executive Summary | 1-paragraph description for leadership |
| Timeline | Chronological sequence of events |
| Root Cause Analysis | 5-Whys or fishbone analysis |
| Impact Assessment | Systems, data, users affected |
| What Went Well | Process and tooling successes |
| Areas for Improvement | Gaps identified |
| Action Items | Owner, deadline, tracked in ServiceNow |
PIR documents are stored in SharePoint (Security > Incident Response > PIRs) and reviewed quarterly by the CISO.
https://itsm.internal/sir