Incident Management Procedure (A.5.24)
Document ID: incident-management-procedure
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual (or after any Sev1 incident)
Incident classification
| Severity | Definition | Response SLA |
|---|---|---|
| Sev1 | Active breach, data exfiltration, key compromise, production outage affecting customers | Immediate — respond within 15 min |
| Sev2 | Suspected breach, significant degradation, external report of vulnerability | Respond within 2 hours |
| Sev3 | Minor degradation, isolated control failure, stale evidence gap | Respond within 24 hours |
| Sev4 | Near-miss, policy deviation with no immediate risk | Respond within 72 hours |
Detection
Incidents may be detected via:
- Automated gap alerts from collectors (Discord webhook)
cron-healthflagging stale evidence- External vulnerability disclosure
- Customer report via support portal
- Cloudflare security alerts
- GitHub Advanced Security alerts
Response procedure
Step 1 — Detect and log
- Record the incident in the compliance portal (
/compliance/risks→ create incident) - Classify severity (Sev1–4)
- Set status to
open
Step 2 — Contain
For Sev1/2:
- Rotate any suspect credentials immediately (rotate via Wrangler Secrets Store)
- Revoke affected access (GitHub org, Cloudflare account)
- If signing key compromised: set state to
revokedinsigning_keys, generate new key - Enable IP allowlist break-glass if needed
Step 3 — Investigate
- Correlate with evidence_runs and audit_events
- Pull relevant evidence from R2 for the affected time window
- Determine root cause
Step 4 — Eradicate and recover
- Deploy fix
- Verify evidence collection resumes normally
- Run full cron trigger to regenerate any missing evidence
Step 5 — Post-incident review
- For Sev1/2: write postmortem within 5 business days
- Upload postmortem to R2, link in incident record
- Review whether controls need strengthening
Breach notification
If a personal data breach affects EU residents (GDPR Art. 33): notify the relevant supervisory authority within 72 hours. If the breach is likely to result in high risk to individuals (Art. 34): notify affected data subjects without undue delay.
Evidence
| Collector | Cadence | Control |
|---|---|---|
incident-log | Monthly | A.5.24–A.5.28 |
cron-health | Daily | A.5.36, A.8.16 |