Incident Response Plan Policy

Version1.0.3 Last Updated2023-10-16 APPROVED

1. Overview

The Incident Response Plan Policy provides a framework for the InfoSec team and business units at AccuCode AI Inc. to collaborate effectively in managing and responding to security incidents. This policy ensures that when a security vulnerability is identified or exploited, the organization can swiftly mitigate and remediate the issue. The Incident Response Plan (IRP) defines the product description, contact information, escalation paths, expected service level agreements (SLA), severity and impact classification, and mitigation/remediation timelines.

2. Purpose

The purpose of this policy is to establish the requirement for all business units supported by the InfoSec team to develop and maintain an Incident Response Plan. This ensures that the security incident management team has all the necessary information to formulate a successful response when a specific security incident occurs.

3. Scope

This policy applies to all established and defined business units or entities within AccuCode AI Inc.

4. Policy

The development, implementation, and execution of an Incident Response Plan (IRP) are the primary responsibility of the specific business unit for which the IRP is being developed, in cooperation with the InfoSec team. Business units are expected to properly facilitate the IRP for services or products they are accountable for. The business unit security coordinator or champion is further expected to work with the InfoSec team in the development and maintenance of the Incident Response Plan.

4.1 Service or Product Description

The product description in an IRP must clearly define the service or application to be deployed, with additional attention to data flows, logical diagrams, and architecture, which are considered highly useful.

4.2 Contact Information

The IRP must include contact information for dedicated team members to be available during non-business hours should an incident occur and escalation be required. This may be a 24/7 requirement depending on the defined business value of the service or product, coupled with the impact on customers. The IRP document must include all phone numbers and email addresses for the dedicated team member(s).

4.3 Triage

The IRP must define triage steps to be coordinated with the security incident management team in a cooperative manner with the intended goal of swift security vulnerability mitigation. This step typically includes validating the reported vulnerability or compromise.

4.4 Identified Mitigations and Testing

The IRP must include a defined process for identifying and testing mitigations prior to deployment. These details should include both short-term mitigations and the remediation process.

4.5 Mitigation and Remediation Timelines

The IRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact to consumers, brand, and company. These response guidelines should be carefully mapped to the level of severity determined for the reported vulnerability.

5. Policy Compliance

5.1 Compliance Measurement

Each business unit must be able to demonstrate they have a written IRP in place, and that it is under version control and available via the web. The policy should be reviewed annually.

5.2 Exceptions

Any exception to this policy must be approved by the InfoSec team in advance and have a written record.

5.3 Non-Compliance

Any business unit found to have violated this policy (no IRP developed prior to service or product deployment) may be subject to delays in service or product release until such a time as the IRP is developed and approved. Responsible parties may be subject to disciplinary action, up to and including termination of employment, should a security incident occur in the absence of an IRP.