Incident Response Procedure
Document ID: DPWAT-ISMS-PROC-005
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-11-10
Next review: 2027-02-01 (or on major change)
1. Immediate actions (anyone)
- Stop and assess; do not destroy evidence.
- Report immediately to the CISO:
- Urgent: phone
+40 721 066 104 - Non-urgent: email
timo@devplant.ro - If CISO is unreachable: contact an Administrator (ADM) for escalation.
2. Triage (CISO)
- Classify severity and scope (see classification below).
- Decide containment actions (account disable, token rotation, device isolation).
- Open an incident record.
Severity classification
| Severity | Criteria | Response time | Examples |
|---|---|---|---|
| Critical | Confirmed data breach involving customer data; regulatory notification likely required; complete loss of critical business capability | Immediate (within hours) | Customer source code exfiltrated; ransomware with data encryption; GDPR-reportable breach |
| High | Potential/suspected data breach; major system compromise; lost/stolen device containing customer data | Same business day | Compromised admin account; laptop stolen with local repos; suspicious bulk data access |
| Medium | Contained security incident; suspicious activity requiring investigation; minor exposure (internal only) | Within 2 business days | Phishing click with credential entry (contained); unauthorized access attempt blocked; accidental internal disclosure |
| Low | Near-miss; blocked attack; policy violation with no actual impact | Within 1 week | Phishing email reported (no click); failed login attempts; minor AUP violation |
Severity determines response urgency and escalation. Critical and High incidents are escalated to the Administrator immediately.
3. Containment and eradication
- Remove attacker access, rotate exposed credentials, patch vulnerabilities, remove malware.
- Coordinate with Administrators and Process Owners.
4. Recovery
- Restore service and verify integrity.
- Communicate with customers/partners if contractual obligations require it.
5. Authority notification
The CISO (or Administrator if CISO is unavailable) is the only person authorized to make official reports to external authorities.
When to notify
| Incident type | Authority | Deadline | Notes |
|---|---|---|---|
| Personal data breach (GDPR) | ANSPDCP | 72 hours from awareness | Unless breach is unlikely to result in risk to individuals |
| Significant cyber-attack, malware, ransomware | DNSC | As soon as practicable | Use 1911 for emergencies |
| Criminal activity (extortion, intentional theft) | DIICOT / Police | As soon as practicable | Coordinate with legal counsel |
| Compromised cloud infrastructure | AWS / Azure / GCP / GitHub | Immediately | Per provider abuse/security channels |
Contact details
See authorities-contact-register for current contact information.
Customer environments
If an incident occurs in a customer-managed environment, notify the customer security lead first; the customer decides whether to report to authorities unless DP WAT has independent legal obligations (e.g., DP WAT is a data controller for the affected data).
6. Lessons learned
- Root cause analysis.
- Update risk register and controls if needed.
- Record corrective actions.
7. Records
- Register: incident-register
- Template: template-incident-report
- Evidence:
07-records/