1. Document Control

• Document Title: Incident Detection and Response Procedure

• Document Identifier: PRC-IT-008

• Version Number: v1.0

• Approval Date: <24 June 2025>

• Effective Date: <24 June 2025>

• Review Date: <24 June 2026>

• Document Owner: <Director of Information Security>

• Approved By: <Information Security Governance Committee>

2. Purpose

The purpose of this procedure is to define the standardized process for detecting, reporting, triaging, escalating, and resolving information security incidents at . The goal is to minimize impact, preserve forensic evidence, ensure proper communication, and meet legal, contractual, and regulatory obligations.

This procedure supports compliance with SOC 2 Trust Services Criteria CC7.3 (incident detection) and CC7.4 (incident response), and is aligned with ISO/IEC 27001:2022 incident management controls. It ensures that can respond effectively to security events and protect the confidentiality, integrity, and availability of systems and data.

3. Scope

This procedure applies to all employees, contractors, systems, data assets, applications, and third-party providers involved in processing, storing, or transmitting sensitive or business-critical information.

It encompasses all potential incidents including but not limited to: malware infections, phishing attacks, unauthorized access, data breaches, system outages due to malicious activity, insider threats, and denial-of-service attacks.

4. Policy Statement

shall maintain an incident response process with the following mandatory capabilities:

1. Detection: Real-time detection of anomalous or malicious activity using monitoring tools, endpoint protection, and user reports.

2. Triage: Assessment of severity and classification of the event based on impact and scope.

3. Escalation: Timely notification to the Information Security Incident Response Team (ISIRT) based on predefined thresholds.

4. Response: Coordination of containment, eradication, and recovery measures using defined playbooks.

5. Communication: Internal and external notifications based on incident type, including regulatory disclosure if required.

6. Documentation: Detailed recording of incident lifecycle in the incident tracking system.

7. Review: Post-incident analysis (lessons learned) and formal RCA (root cause analysis) for medium and high-impact incidents.

All users must report suspected security events immediately and cooperate fully during investigations.

5. Safeguards

6. Roles and Responsibilities

• Incident Response Manager: Coordinates all phases of incident response; leads war room sessions.

• Information Security Analyst: Monitors, analyzes, and initiates incident triage; maintains logs.

• SOC Team: Provides 24/7 threat detection, initial response, and containment measures.

• System/Network Administrators: Assist with remediation actions (e.g., quarantine systems, reset accounts).

• Legal and Compliance Teams: Advise on regulatory reporting, legal exposure, and third-party notifications.

• Communications/PR Team: Manages external communications during public or customer-impacting incidents.

• All Employees: Required to report suspected incidents immediately to the InfoSec team or Service Desk.

7. Compliance and Exceptions

Compliance with this procedure is verified through incident logs, audit trails, and post-incident reviews. All incident tickets must include timestamps, actions taken, and evidence of closure review.

Exceptions (e.g., delayed response due to third-party systems) must be documented with justification, risk assessed, and approved by the Director of Information Security. Exception logs are reviewed quarterly.

8. Enforcement

Failure to comply with this procedure—such as delayed reporting, failure to escalate, or improper handling of evidence—can result in disciplinary actions per the Employee Handbook and HR policy. Penalties include verbal or written warnings, suspension of access, or termination for gross negligence.

Third-party vendors that fail to meet contracted incident response SLAs may face penalties, liability for damages, or contract termination. All enforcement actions will be proportional, documented, and led by HR, Legal, and Information Security leadership.

9. Related Policies/Documents

• POL-ALL-009: Incident Response Policy

• PRC-IT-007: Security Event Monitoring Procedure

• POL-ALL-001: Information Security Policy

• SOC 2 Criteria: CC7.3 (Detection), CC7.4 (Response)

• ISO 27001 Controls: A.5.25–A.5.27 (Information Security Incident Management)

• Incident Response Playbooks and Runbooks

• Regulatory Reporting Guidelines

10. Review and Maintenance

This document shall be reviewed annually or following major incidents or changes to infrastructure, regulatory requirements, or detection tools. The review shall be led by the Incident Response Manager and approved by the Director of Information Security. Change history will be tracked in the official document repository.