Book a demo
Book a demo

Incident Response & Security Vulnerability Policy

Effective Date: 28th August, 2024
Last Updated: 30th November, 2024

1. Introduction

Suprdense (“the Company,” “we,” “us,” or “our”) recognizes that robust security and incident handling processes are critical to protecting our customers, users, and corporate data assets. This Incident Response & Security Vulnerability Policy (“Policy”) outlines the procedures, responsibilities, and guidelines for identifying, containing, and resolving information security incidents, including data breaches, system compromises, or vulnerabilities discovered within Suprdense’s services and infrastructure.

2. Purpose & Scope

  1. Purpose:
    1. Define clear roles and responsibilities during security incidents.
    2. Establish procedures for identifying, reporting, containing, and remediating security vulnerabilities and incidents.
    3. Ensure compliance with all applicable legal, regulatory, and contractual obligations.
  2. Scope:
    1. Applies to all Suprdense employees, contractors, and any authorized third-party who handles Suprdense data or systems.
    2. Covers all stages of an incident, from initial detection to post-incident review, as well as proactive vulnerability management.

3. Definitions

  • Security Incident: Any event that compromises the confidentiality, integrity, or availability of Suprdense’s systems, services, or data.
  • Data Breach: A security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
  • Incident Response Team (IRT): A group of individuals within Suprdense (and external experts where applicable) responsible for managing the response to and resolution of an incident.
  • Vulnerability: A weakness or flaw in software, hardware, or organizational processes that, if exploited, could lead to a security incident.

4. Roles & Responsibilities

  1. Chief Information Security Officer (CISO):
    1. Oversees the development, implementation, and maintenance of Suprdense’s security incident policies.
    2. Coordinates high-level decision-making and escalations during a security incident.
  2. Incident Response Team (IRT):
    1. Primary Incident Manager (IM): Directs the IRT and ensures all incident-response tasks are completed.
    2. Technical Specialists: Provide in-depth analysis, containment, and remediation strategies.
    3. Legal & Compliance Advisors: Advise on regulatory and legal reporting obligations.
    4. Communications & PR: Manage external and internal communications under the direction of the IM.
  3. Employees & Contractors:
    1. All personnel must promptly report suspected or confirmed security incidents to their immediate supervisor or directly to the Security Lead.
  4. Third-Party Vendors/Sub-Processors:
    1. Must adhere to Suprdense’s security requirements as stated in service agreements.
    2. Must notify Suprdense of any incidents that could impact Suprdense’s data or systems within the agreed-upon notification timeframe (typically 24 hours or as contractually mandated).

5. Incident Response Lifecycle

Suprdense follows a structured approach aligned with industry best practices including NIST’s Computer Security Incident Handling Guide):

  1. Preparation
    1. Policies & Procedures: Maintain up-to-date incident response policies, risk assessments, and playbooks.
    2. Training & Drills: Conduct regular security training and incident response exercises for all employees.
    3. Tooling & Monitoring: Ensure appropriate security tools are in place and properly configured.
  2. Detection & Analysis
    1. Monitoring: Continuously monitor logs, alerts, and system behaviors to identify potential incidents.
    2. Validation: Once an alert is generated, technical specialists validate whether it constitutes a genuine incident.
    3. Classification: Assign a severity level based on potential impact and urgency (e.g., Critical, High, Medium, Low).
  3. Containment
    1. Short-Term Containment: Swiftly isolate affected systems or networks to prevent further damage.
    2. Long-Term Containment: Temporarily apply fixes to ensure compromised systems are not re-exploited while a permanent solution is developed.
  4. Eradication
    1. Root Cause Analysis: Identify the underlying vulnerability or method of compromise.
    2. Remove Threats: Eliminate malicious code, close vulnerabilities, and revoke compromised credentials.
  5. Recovery
    1. System Restoration: Safely restore systems from clean backups, ensuring no residual malicious activity remains.
    2. Validation: Test systems thoroughly to confirm normal operations before resuming production.
  6. Post-Incident Activity
    1. Incident Review: Conduct a thorough post-mortem to analyze the efficacy of the response and identify areas for improvement.
    2. Documentation & Reporting: Compile an incident report detailing root causes, containment measures, recovery steps, and lessons learned.
    3. Policy Update: Update this Policy or related procedures as necessary to enhance future response capabilities.

6. Incident Severity & Response Matrix

Below is a high-level matrix outlining the typical response timelines and actions based on severity:

Severity Level Definition Response Time Actions
Critical Threatens core system, large-scale data breach, immediate risk to business continuity. Immediate (Within 1 Hour) - Immediate full IRT activation - Contain affected systems - Infinite legal & regulatory  notifications (if required)
High Significant impact on operations or potential data exposure; risk to multiple systems or services. Within 2-4 Hours - Partial or full IRT activation - enhanced monitoring & containment - Prepare public/Customer communications if needed
Medium Localized or Potentially exploitable vulnerability with moderate impact. Within 8-24 Hours - Technical teams address vulnerability - Evaluate system containment & pitching - Document & monitor remediation
Low Minor issue or potential flow with minimal immediate impact. Within 1-2 Business Days - Address issue in upcoming patch cycle - Log & document for future prevention

7. Vulnerability Management

  1. Discovery & Identification
    1. Automated Scans: Conduct regular vulnerability scans on networks, applications, and endpoints.
    2. Manual Assessments: Periodic penetration tests and code reviews to identify hidden weaknesses.
    3. Bug Bounty / Responsible Disclosure: Where applicable, encourage security researchers and ethical hackers to report vulnerabilities responsibly.
  2. Prioritization
    1. Assign a severity rating (e.g., Critical, High, Medium, Low) to each discovered vulnerability based on potential business and data risk.
  3. Remediation
    1. Patching: Apply software or firmware fixes as soon as feasible.
    2. Configuration Changes: Harden systems by updating configurations, network rules, or access controls.
    3. Communication: Notify relevant stakeholders of planned changes or temporary downtime to implement fixes.
  4. Validation & Monitoring
    1. Re-Testing: Conduct re-tests to confirm successful remediation.
    2. Continuous Monitoring: Watch for reoccurrence or related new vulnerabilities.

8. Communication & Escalation

  1. Internal Communications
    1. Status Updates: Provide regular updates to the IRT, management, and impacted teams.
    2. Escalation Path: If an incident escalates in severity, the IM coordinates with executive leadership for additional resources or approvals.
  2. External Communications
    1. Customer Notification: If personal data or service integrity is impacted, Suprdense may notify affected customers promptly, as required by law or contract.
    2. Regulatory Bodies: For incidents involving personal data breaches, Suprdense may notify the relevant Data Protection Authorities within legally mandated timeframes.
    3. Public Statements: All external statements are coordinated by the PR/Communications team under direction from executive leadership to maintain accuracy and consistency.

9. Attestation & Documentation

  1. CIRP Documentation:
    1. Suprdense maintains a detailed Cyber Incident Response Plan (CIRP) that includes contact lists, escalation paths, and playbooks for various incident scenarios (e.g., malware, denial-of-service, data breach).
    2. This CIRP is available for review by customers under NDA or as required by regulatory bodies.
  2. Incident Reports:
    1. For each security incident, Suprdense documents all investigation details, root cause analysis, and remediation steps.
    2. Aggregate incident metrics are reviewed internally to improve overall security posture.
  3. Compliance Audits:
    1. Suprdense may undergo third-party audits or certifications (e.g., ISO 27001, SOC 2) that evaluate the effectiveness of our security controls, including this incident response framework.

10. Testing & Training

  1. Simulation Exercises:
    1. Tabletop Exercises: Regular simulations to practice roles and responsibilities in a virtual scenario.
    2. Penetration Tests: Conducted periodically by internal or external experts to test defenses and incident response readiness.
  2. Training:
    1. Annual security awareness training for all employees.
    2. Specialized technical training for the IRT to keep skills and knowledge current.

11. Policy Compliance & Review

  1. Compliance:
    1. All employees, contractors, and sub-processors must comply with this Policy. Non-compliance may result in disciplinary action or contract termination.
  2. Review & Updates:
    1. This Policy is reviewed at least annually, or after a major security incident, regulatory change, or infrastructure overhaul. Revisions are approved by the CISO or executive management.

12. Contact & Further Information

For questions regarding this Policy or the incident response program, please contact:

Security Department
Suprdense
talk@suprdense.com