Incident Response Plan
This plan ensures that Eververse is prepared to effectively detect, contain, mitigate, and recover from security incidents. By maintaining a robust incident response process, Eververse can minimize the impact of incidents on its platform, customers, and data.
1. Introduction
This Incident Response Plan (IRP) describes the process Eververse follows to detect, contain, mitigate, and recover from security incidents. It is designed to minimize the impact of security breaches on the Eververse platform, safeguard customer data, and ensure timely recovery of operations.
2. Objectives
The objectives of this Incident Response Plan are to:
- Detect security incidents in a timely manner.
- Contain and mitigate the impact of incidents to prevent further damage.
- Recover services as quickly as possible and ensure data integrity.
- Document and analyze incidents to improve future responses.
3. Scope
This plan applies to all types of security incidents, including:
- Data breaches
- Unauthorized access
- Distributed Denial of Service (DDoS) attacks
- Malware or ransomware attacks
- Phishing attempts or social engineering
It applies to all systems and services associated with Eververse, including the platform, databases, internal networks, and third-party services (Vercel, Supabase, BetterStack).
4. Incident Response Team (IRT)
The Incident Response Team (IRT) is responsible for handling security incidents. These may be the same people, or different people, depending on the severity of the incident and capacity of the team. The IRT consists of:
- Chief Information Security Officer (CISO): Leads the team, coordinates the response, and communicates with stakeholders.
- Security Engineers: Analyze and address technical aspects of the incident.
- Operations Team: Ensures services are restored and coordinates with third-party vendors.
- Legal and Compliance: Involved if incidents require notification to regulatory bodies or customers.
- Customer Support: Communicates with affected customers during and after the incident.
5. Incident Response Phases
5.1 Detection
- Monitoring Tools: Our uptime monitoring system provider is the primary monitoring and alerting system used to detect anomalies such as service disruptions, unauthorized access, or unusual network activity. Our hosting platform also provides monitoring and alerting for the platform, as well as a firewall, DDOS mitigation and more, which is used as a secondary monitoring system. Finally, our database provider also provides monitoring and alerting for the database, which is used as a tertiary monitoring system.
- Alerts: Automatic alerts from our infrastructure providers will trigger if thresholds for suspicious activities (e.g., failed logins, data exfiltration, etc.) are exceeded.
- User Reports: Employees, partners, and customers may report potential security incidents. All reports must be forwarded to the Incident Response Team immediately.
Key Detection Tools:
- Uptime Monitoring System Logs & Alerts
- Internal Application Logs
- Hosting Platform Deployment Logs
- Database Monitoring
5.2 Containment
- Initial Containment: Upon identifying an incident, the IRT will implement immediate actions to contain the breach. These actions include:
- Isolating affected systems from the network to prevent further spread.
- Disabling compromised user accounts or services.
- Blocking malicious IP addresses or suspending compromised access points.
- Communication: Internal communication through Slack will be initiated immediately to inform all stakeholders of the incident and containment measures.
- Short-Term Containment: For critical services like the Eververse platform, temporary containment measures may include switching traffic to healthy instances, pausing deployments, or rolling back to a previous stable version.
5.3 Mitigation
- Forensic Investigation: Once the incident is contained, the IRT will analyze logs from various providers to determine the scope of the incident, its origin, and the type of attack.
- Elimination of Threat: The IRT will remove the root cause of the incident by applying security patches, eliminating malware, revoking compromised credentials, and closing exposed vulnerabilities.
- System Hardening: Security configurations will be reviewed and updated as needed to prevent similar incidents in the future (e.g., improving firewall rules, applying patches, or hardening access controls).
5.4 Recovery
- Restoration of Services: After mitigation, the IRT will restore all affected systems, ensuring that services are functional and secure. This may involve redeploying the Eververse platform using Vercel’s infrastructure and restoring data from database backups if necessary.
- Data Integrity Verification: The integrity of customer data will be verified using our database provider's point-in-time recovery capabilities, ensuring no data corruption or loss occurred.
- Monitoring Post-Incident: Enhanced monitoring will be implemented post-recovery to detect any lingering threats or further issues. All services will be under heightened observation for a set period to ensure stability.
5.5 Communication and Notification
- Internal Communication: The IRT will provide regular status updates to the executive team and relevant departments (e.g., Operations, Legal) throughout the incident.
- External Communication:
- Customers: If customer data or service availability is affected, the Customer Support team will notify impacted customers via email and the Eververse status page (hosted on BetterStack).
- Legal/Regulatory Bodies: If the breach involves sensitive data (e.g., personally identifiable information), legal and compliance teams will notify the appropriate regulatory authorities in accordance with GDPR, CCPA, or other relevant legislation.
5.6 Post-Incident Review
- Root Cause Analysis: The IRT will conduct a post-mortem analysis to identify the root cause of the incident, actions taken, and any gaps in the existing security measures.
- Report Generation: A detailed incident report will be created, documenting the timeline of the event, containment and recovery actions, and recommendations for improving the security posture.
- Lessons Learned: The IRT will meet to review the incident and implement lessons learned, including updating policies, processes, and training as necessary.
6. Incident Classification
Incidents will be classified based on their severity to determine the appropriate response:
Severity Level | Description | Response Time | Escalation Path |
---|---|---|---|
Low | Minor incidents with no significant impact on operations | 24 hours | IRT |
Medium | Incident affecting part of the system or customer service | 12 hours | IRT + Operations Team |
High | Significant impact on operations, customer data, or service | 4 hours | IRT + Operations + Executive Team |
Critical | Major security breach, including data exfiltration or ransomware | Immediate | IRT + Operations + Legal + Executive Team |
7. Third-Party Vendor Coordination
- Hosting Provider Support: In case of issues related to infrastructure hosting, the IRT will coordinate with the hosting provider's support to resolve outages or security concerns.
- Database Provider Support: For database incidents, the IRT will coordinate with the database provider's support to recover data or troubleshoot database security issues.
- Monitoring Provider Support: If monitoring, logging, or alerting services are compromised, the IRT will coordinate with the monitoring provider's support to restore full visibility of services and systems.
8. Training and Awareness
- Annual Incident Response Drills: The IRT will conduct incident response drills on a frequency determined by the IRT to ensure readiness and efficiency during real incidents.
- Employee Security Awareness Training: All relevant employees will receive ongoing security awareness training, covering phishing prevention, secure password management, and proper incident reporting protocols.
9. Maintenance and Review
- This Incident Response Plan must be reviewed and updated annually or whenever there is a significant change in infrastructure, business operations, or regulatory requirements.
- After each significant incident, the IRP will be updated to reflect new lessons learned and improve the response process.
10. Conclusion
This Incident Response Plan ensures that Eververse is prepared to effectively detect, contain, mitigate, and recover from security incidents. By maintaining a robust incident response process, Eververse can minimize the impact of incidents on its platform, customers, and data.
11. Contact Information
For any questions or clarifications regarding this Incident Response Plan, please contact us.