Security Incident Response Plan
Aligned to the NIST Cybersecurity Framework. Covers detection, response, containment, eradication, recovery, and lessons learned for all security incident types.
If you suspect a security incident is happening right now: Call the CSIRT hotline immediately at 1800-ASI-SEC (1800-274-732) or page via PagerDuty:
Security Incident. Do not attempt to investigate or remediate alone. Preserve evidence.
Incident Classification
| Incident Type | Description | Severity | Playbook |
|---|---|---|---|
| Data Breach | Unauthorised access to, disclosure of, or loss of personal or confidential data | Critical | Data Breach Playbook |
| Ransomware | Malware that encrypts data and demands payment for decryption | Critical | Ransomware Playbook |
| DDoS Attack | Distributed Denial of Service attack against client or ASI infrastructure | High | DDoS Playbook |
| Insider Threat | Malicious or negligent action by an employee, contractor, or trusted party | High | Insider Threat Playbook |
| Phishing / BEC | Social engineering attacks including business email compromise | Medium-High | Phishing Playbook |
Severity Levels
| Severity | Criteria | Response Timeframe | Escalation |
|---|---|---|---|
| Critical | Active data breach, ransomware execution, APT detected, regulatory notification likely | Immediate (within 15 min) | CEO, Legal, affected clients immediately |
| High | Active attack in progress, privilege escalation, significant malware spread | Within 30 min | Head of Security, VP Ops within 1 hour |
| Medium | Contained malware, suspicious activity under investigation, policy violation | Within 2 hours | CSIRT Lead within 4 hours |
| Low | False positive confirmed, minor policy exception, unsuccessful attack blocked | Within 1 BD | Log and monitor |
Response Phases (NIST Framework)
Phase 1: Preparation
Ongoing activities that ensure the CSIRT is ready to respond effectively.
Team Readiness
- CSIRT members trained and certified (GCIH, GCFE, or equivalent)
- On-call rotation: 24/7 coverage with 15-minute response SLA
- Tabletop exercises conducted quarterly
- Full simulation exercise conducted annually
- Cross-training with Service Delivery and Cloud teams
Tools & Infrastructure
- SIEM: Microsoft Sentinel + ASI AI Sentinel integration
- EDR: CrowdStrike Falcon
- Forensics: Velociraptor, Magnet AXIOM, FTK Imager
- Threat Intelligence: MISP, ASD threat feeds, CrowdStrike Intel
- Communication: Dedicated encrypted Teams channel + out-of-band Signal group
Phase 2: Detection & Analysis
1
Alert Triage
Security alerts from SIEM, EDR, email security, AI threat detection, and user reports are triaged by the on-call CSIRT analyst. AI-powered correlation reduces alert fatigue by grouping related events and scoring threat confidence (0-100).
2
IOC Analysis
Indicators of Compromise (IOCs) are extracted and cross-referenced with threat intelligence feeds. AI models compare behavioural patterns against known TTPs (MITRE ATT&CK mapped). Determine if the alert is a true positive.
3
Scope Assessment
Determine the scope: How many systems/users are affected? What data is at risk? Is the attack ongoing? Use EDR telemetry and network logs to map the blast radius.
4
Classification & Escalation
Classify the incident type and severity per the matrix above. Escalate to appropriate personnel and notify the CSIRT Lead. Declare a security incident in ServiceNow.
Phase 3: Containment
Short-Term Containment
Immediate actions to stop the attack from spreading:
- Isolate affected endpoints (network quarantine via CrowdStrike)
- Block malicious IPs/domains at firewall and DNS level
- Disable compromised accounts
- Preserve volatile evidence (memory dumps, running processes)
- Redirect traffic if DDoS
Decision point: Can business continue with affected systems isolated? If not, escalate to CEO for business impact decision.
Long-Term Containment
Sustainable containment while eradication is planned:
- Implement temporary firewall rules and network segmentation
- Deploy additional monitoring on adjacent systems
- Rebuild affected systems from clean images (if needed)
- Force password resets for potentially compromised accounts
- Enable enhanced logging on all related systems
Phase 4: Eradication
- Identify and remove root cause (malware, backdoors, compromised credentials, vulnerable software)
- Patch exploited vulnerabilities
- Rebuild compromised systems from known-good images
- Rotate all credentials that may have been exposed
- Update security controls (firewall rules, email filters, EDR policies)
- Verify eradication with thorough scan and forensic review
Phase 5: Recovery
- Restore systems from verified clean backups
- Gradually reconnect isolated systems to the network (monitored)
- Validate all services are functioning correctly
- Monitor for any signs of re-infection for minimum 30 days
- Confirm with affected clients that services are restored
- Maintain elevated monitoring thresholds during recovery period
Phase 6: Lessons Learned
- Post-Incident Review conducted within 5 business days of incident closure
- All CSIRT members and key stakeholders participate
- Timeline reconstruction: what happened, when, how did we respond
- Root cause analysis and contributing factors
- Review of detection effectiveness: how quickly did we detect? Could we have detected sooner?
- Review of response effectiveness: what worked, what did not
- Improvement actions documented with owners and deadlines
- Update playbooks, procedures, and training materials
- Report shared with leadership and affected clients (sanitised version)
Notification Requirements (OAIC Notifiable Data Breaches)
Under the Notifiable Data Breaches (NDB) scheme of the Privacy Act 1988, ASI is required to notify the OAIC and affected individuals when a data breach involving personal information is likely to result in serious harm. Notification must occur within 72 hours of becoming aware the breach has occurred (or as soon as practicable).
Notification Decision Process
- Assessment (within 30 days max, but aim for 72 hours): Determine if the breach is an "eligible data breach" — i.e., likely to result in serious harm to any individual
- Legal review: ASI Legal Counsel and Privacy Officer must be consulted before notification decision
- OAIC notification: Submit notification via the OAIC NDB portal (notifiabledatabreaches.gov.au)
- Individual notification: Notify affected individuals with:
- Description of the breach
- The types of information involved
- Recommended steps individuals should take
- ASI contact details for enquiries
- Client notification: Notify affected clients per contractual obligations (typically within 24 hours of ASI becoming aware)
Authority Contacts
| Authority | When to Contact | Contact Method |
|---|---|---|
| OAIC | Eligible data breach involving personal information | NDB portal: oaic.gov.au |
| ACSC (ASD) | Significant cyber security incident | cyber.gov.au/report or 1300 CYBER1 |
| AFP | Suspected criminal activity (fraud, extortion, espionage) | AFP referral via ACSC or direct |
| APRA | Breach affecting APRA-regulated client (financial services) | As per client's APRA notification obligations |
Communication Plan
| Audience | Timing | Channel | Content | Responsible |
|---|---|---|---|---|
| CSIRT (internal) | Immediately | PagerDuty + encrypted Teams channel | Full technical details | On-call analyst |
| ASI Leadership | Within 1 hour (Critical) | Phone + email | Summary, impact, actions being taken | CSIRT Lead |
| Affected Client(s) | Within 2 hours (Critical) | Phone call + email | What happened, impact, what we're doing, next update time | SDM + CSIRT Lead |
| All Clients (if widespread) | Within 4 hours | Email + status page | Advisory with recommended actions | Head of Security |
| Regulators (OAIC, ACSC) | Within 72 hours (if data breach) | Official portals | Formal notification per requirements | Privacy Officer + Legal |
| Media (if needed) | As directed by CEO | Prepared statement only | Approved statement. No technical details. | CEO + external PR firm |
Media protocol: Only the CEO or their designated spokesperson may communicate with media about a security incident. All media enquiries must be directed to media@asiaisolutions.com.au. Do not share any details on social media or with unauthorised parties.
CSIRT Team Structure
📄 CSIRT Contact List (Template)
| Role | Primary | Backup | Contact |
|---|---|---|---|
| CSIRT Lead | Priya Sharma | Alex Mikhailov | PagerDuty: security-lead |
| Incident Commander | Rotating on-call | CSIRT Lead | PagerDuty: security-oncall |
| Forensic Analyst | Jordan Lee | Sam Blackwell | PagerDuty: security-forensics |
| Threat Intel Analyst | Maria Santos | Jordan Lee | PagerDuty: security-intel |
| Network/Cloud Specialist | From Cloud & Infra team | — | PagerDuty: cloud-oncall |
| Communications Lead | Sarah Chen (SD) | Emma Thompson (P&C) | Direct phone |
| Legal Counsel | External firm (Clayton Utz) | — | Partner direct line (in IR retainer) |
| Privacy Officer | Priya Sharma | Tom Nguyen | Direct phone |
| Executive Sponsor | CEO | VP Operations | Direct phone |
Full contact details (mobile numbers, personal emails) maintained in a sealed envelope in the CEO's office and in an encrypted offline document accessible to CSIRT Lead and CEO only.
Playbook Summaries
☉ Playbook 1: Data Breach
- Detect: SIEM alert on data exfiltration, DLP trigger, user report, or third-party notification
- Validate: Confirm data has been accessed/exfiltrated. Identify data types and volume.
- Contain: Block exfiltration channel, disable compromised accounts, isolate affected systems
- Assess: Determine if personal information is involved (Privacy Act trigger). Quantify affected records.
- Notify: Legal Counsel immediately. OAIC within 72 hours if eligible data breach. Affected individuals as required.
- Eradicate: Remove attacker access, patch vulnerability, rotate credentials
- Recover: Restore services, implement additional DLP controls, enhance monitoring
- Review: Full PIR within 5 BD. Update DLP policies. Regulatory reporting follow-up.
☉ Playbook 2: Ransomware
- Detect: EDR alert on encryption activity, user reports files inaccessible, ransom note displayed
- Contain IMMEDIATELY: Isolate affected endpoints from network. Shut down file shares. Disable SMB if worm-like spread.
- Assess: Identify ransomware variant (CrowdStrike + VirusTotal). Determine encryption scope. Check backup integrity.
- Decision: Assess recovery options. ASI policy: do NOT pay ransom without CEO + Legal + Law enforcement consultation.
- Eradicate: Rebuild affected systems from clean images. Patch entry point vulnerability.
- Recover: Restore data from verified clean backups. Validate data integrity. Gradual network reconnection.
- Report: ACSC notification. OAIC if personal data involved. AFP if criminal investigation warranted.
- Review: Full PIR. Review backup strategy. Implement additional controls (e.g., immutable backups).
☉ Playbook 3: DDoS Attack
- Detect: AI Sentinel traffic anomaly alert, monitoring system latency spike, client reports service unavailability
- Classify: Volumetric, protocol, or application-layer attack. Identify target (client, ASI infrastructure).
- Mitigate: Activate DDoS protection (Cloudflare / Azure DDoS Protection). Implement rate limiting. GeoIP blocking if source is concentrated.
- Communicate: Notify affected clients. Update status page.
- Monitor: Track attack pattern changes. Adjust mitigation rules as attack evolves.
- Recovery: Confirm services restored. Maintain elevated DDoS protection for 72 hours post-attack.
- Report: ACSC notification if significant. PIR within 5 BD.
☉ Playbook 4: Insider Threat
- Detect: UEBA (User Entity Behaviour Analytics) alert, DLP trigger, manager report, anonymous tip
- Validate discreetly: Review access logs, file activity, email patterns. Do NOT alert the subject.
- Escalate: CSIRT Lead + Head of People & Culture + Legal Counsel. Determine if malicious or negligent.
- Contain: Adjust access permissions covertly. Increase monitoring. Preserve evidence chain.
- Investigation: Formal investigation per HR policy. Forensic evidence collection if criminal activity suspected.
- Action: Per HR investigation outcome (counselling, termination, law enforcement referral)
- Remediate: Revoke all access, collect assets, review access of similar roles for systemic gaps
- Review: PIR focusing on detection gaps and access control improvements
☉ Playbook 5: Phishing / Business Email Compromise
- Detect: User report (phish button), email security alert, AI analysis of suspicious email patterns
- Validate: Analyse email headers, URLs, and attachments in sandbox. Check for credential harvesting.
- Contain: Block sender and URLs across all mailboxes (retrospective purge). Reset passwords for anyone who clicked.
- BEC-specific: If financial fraud attempted, immediately contact bank to reverse/freeze transactions. Notify Finance.
- Assess scope: Search for similar emails across all mailboxes. Check if credentials were entered on phishing site.
- Remediate: MFA enrollment check, email filtering rule update, user security awareness follow-up
- Communicate: Send advisory to all staff if widespread campaign. Targeted coaching for users who fell for the phish.
- Report: ACSC if significant campaign. Log in threat intelligence platform.