Owner: Chief Information Security Officer (CISO) • Co‑Owners: SOC Lead, Head of Engineering, DPO, General Counsel (GC)
Review cadence: Quarterly drills and after any material incident
Purpose. Provide one, conservative playbook for identifying, triaging, remediating, and communicating security vulnerabilities and incidents across all regional operators, NatCos, and Program SPVs. Integrates with: Annex C (Privacy), Annex D (SDZ/Transfers), Annex E (Zero‑Trust/SLSA/SBOM). Where host‑law requirements vary, the strictest applies.
1) Scope & Equal‑Treatment Baseline
Applies to: code, build pipelines, infrastructure (cloud/on‑prem/SDZ), endpoints, vendors/sub‑processors, and physical security events that affect confidentiality, integrity, or availability (CIA). Covers both vulnerabilities (potential weaknesses) and incidents (actual or suspected compromise).
2) Roles & Incident Command Structure (ICS)
- Incident Commander (IC): CISO (or delegate). Owns decisions, timelines, and comms cadence.
- SOC Lead: Coordinates detection/triage, evidentiary logging, EDR/IDS/SIEM actions.
- Head of Engineering: Code/build remediation, release gating, feature flags, hotfixes.
- DPO: Privacy risk assessment, DSR handling, breach notification clocks (Annex C).
- GC: Legal privilege, regulator engagement, law‑enforcement liaison, contracts.
- Comms Lead: Internal/external messaging, press/clients/partners.
- Regional Leads: Local regulator and PoR coordination; host‑law nuances.
- Business Owner(s): Customer impact, workarounds, continuity.
Contact Matrix
Maintain a 24×7 contact list (primary/secondary, phone/secure chat) with escalation paths. Test quarterly.
3) Severity Ratings & SLAs (from first valid signal)
P0 — Critical (active exploit/external exposure/high impact):
- Contain/mitigate: ≤ 72 hours (compensating controls allowed).
- Patch/fix deployed: ≤ 7 days.
- Notify: ≤24 hours to Protocol Custodian, impacted customers/PoRs; regulator clocks per Annex C.
- Status cadence: Hourly → 4‑hourly once stable.
P1 — High (likely exploitation/large blast radius):
- Mitigate: ≤ 5 days.
- Patch: ≤ 14 days.
- Notify: Within 48 hours to affected parties; regulators as required.
- Status: Daily until closure.
P2 — Medium: Patch ≤ 30 days; weekly status.
P3 — Low: Patch ≤ 90 days; monthly status.
Exceptions require CISO approval, compensating controls, and an expiry date in the Security Exception Register (Annex E §14).
4) Detection & Intake
- Sources: SIEM alerts, EDR, IDS/WAF, code/dependency scans, SBOM‑CVE feeds, pen‑tests, bug bounty, vendor notices, user reports.
- Triage in ≤2 hours: Validate signal, assign severity, open incident ticket with unique ID, time‑stamp, and owner.
5) Standard Response Phases
- Identify — confirm indicators of compromise (IOCs), affected assets, data classes.
- Contain — short‑term (isolate hosts, revoke tokens, block egress) and long‑term (segmentation, disable features).
- Eradicate — remove malware, backdoors, malicious accounts; rotate secrets/keys.
- Recover — restore from known‑good states; verify integrity with hashes/signatures; gradual return to service.
- Lessons Learned — within 10 business days, complete post‑mortem and action plan; dual‑log material actions.
6) Category Runbooks (minimum steps)
A) Code/Dependency Vulnerability (incl. supply chain)
- Freeze affected pipelines; require signed, provenance‑verified artifacts.
- Generate new SBOM; correlate CVEs; block release if policy fails.
- Patch or pin; rebuild with hermetic builders; redeploy; verify via admission controller.
- Customer note (if exposure likely), with mitigations and rotation advice.
B) Cloud/SDZ Misconfiguration
- Apply guard‑rail policies (deny egress, private endpoints); rotate credentials; enable logging at high fidelity.
- Run configuration baselines (CIS) and drift detection; validate no data egress; document RDR if cross‑border risk.
C) Compromised Credential/Key
- Immediate revoke/rotate (≤4 hours); enumerate blast radius; invalidate sessions; increase monitoring; attest new key custody.
D) Third‑Party/Vendor Incident
- Trigger vendor contract clauses (notice, audit, remediation); assess data exposure; switch to approved alternates; notify customers/PoRs with vendor status.
E) Suspected/Actual Data Breach
- DPO leads risk assessment (likelihood/severity); decide notification per Annex C timelines (e.g., GDPR 72h, PDPA ≤3 days after assessment).
- Prepare notices (facts, scope, mitigations, next steps); activate call‑centre/FAQ if needed; honour DSRs.
F) Ransomware/Destructive Attack
- Isolate segments; disable lateral movement; preserve forensics; assess decryption feasibility.
- Restore from offline backups (test integrity); consider law‑enforcement; follow sanctions guidance (no prohibited payments); execute crisis comms.
7) Communications & Notifications
- Internal: IC sends incident bulletins (scope, severity, next actions) on fixed cadence.
-
External:
– Protocol Custodian & GRF Register: Notify ≤24h for P0; dual‑log material actions.
– Customers/PoRs: Facts, indicators to watch, mitigations, timelines.
– Regulators: DPO/GC follow jurisdictional clocks in Annex C (attach DPIA/Breach Assessment).
– Press/Media: Only via Comms Lead with GC approval; use approved templates.
Template Pack (attached): Initial Advisory, Customer Notice, Regulator Notice Outline, Press Holding Statement.
8) Evidence, Forensics & Chain of Custody
- Snapshot volatile data; preserve logs; export signed copies to immutable store.
- Maintain chain‑of‑custody records for all evidence; store hashes; time‑synchronise via trusted NTP.
- Engage forensics partner under GC to preserve privilege where applicable.
9) Vulnerability Lifecycle (non‑incident)
- Continuous scanning: Code, builds, containers, hosts, networks.
- Intake & triage: Map to severity table; create remediation tasks; link to SBOM components.
- Fix/verify/close: Peer review, test, deploy; verify via scanners; document closure.
- Metrics: Patch SLO compliance by severity; aged open vulns; repeat findings; % with compensating controls.
10) Testing, Drills & Assurance
- Tabletop exercises (quarterly): Alternate scenarios (supply‑chain exploit, vendor breach, SDZ exfiltration, ransomware). Include Legal, DPO, Comms, Regional Leads.
- Live play (semi‑annual): Red/blue/purple team with production‑safe scope.
- Pen‑tests: At least annually and after major change.
- Control validation: Test SIEM rules, EDR coverage, backup restores, key rotations.
- After‑action: Issue report with owners/dates; track to closure in GRC.
11) Records & Reporting
Maintain: incident tickets, timelines, decisions, approvals, evidence logs, notifications, customer comms, DPIA/breach assessments, and post‑mortems. Quarterly board report: metrics in §9 + MTTR/MTTD, outage minutes, and trend analysis.
12) Enforcement
Non‑compliance (missed SLAs, notification failures, uncontrolled scope) may lead to access suspension, disciplinary action up to termination, vendor sanctions, and regulatory notifications where required.
13) Effective Date & Governance
Adopted by the Board(s) of all regional operators on [●] and incorporated by reference into Charters/Bylaws and security/engineering SOPs. Class B to amend/strengthen; Class A required to weaken SLAs or notification timelines.