A Security Response Plan (SRP) provides the impetus for security and business teams to integrate their efforts from the perspective of awareness and communication, as well as provides a coordinated response in times of crisis (security vulnerability identified or exploited). Specifically, an SRP defines the product description, contact information, escalation paths, expected service level agreements (SLA), severity and impact classification, and mitigation/remediation timelines.
The purpose of such a policy would be to establish the requirement that all business units supported by the ISMS Committee develop and maintain a security response plan. This ensures that ISMS Committee have all the necessary information to formulate a successful response should a specific security incident occur.
This policy applies where a client requires an SRP to be included in their contract when dealing with Infinity Works.
The development, implementation, and execution of a Security Response Plan (SRP) are the primary responsibility of the specific client for whom the SRP is being developed in cooperation with the ISMS Committee. The Infinity Works Account Lead or Principal Consultant assigned to the client is expected to properly facilitate any required SRP applicable to the service or products they are held accountable for. The Infinity Works Account Lead or Technical Lead or Principal Consultant is further expected to work with the ISMS Committee in the development and maintenance of a required Security Response Plan.
The product description in an SRP must clearly define the service or application to be deployed with additional attention to data flows, logical diagrams, architecture considered highly useful.
The SRP must include contact information for dedicated team members to be available, if contractually agreed with the client, during non-business hours should an incident occur and escalation be required. This may be a 24/7 requirement depending on the defined business value of the service or product, coupled with the impact to customer. The SRP document or Service agreement must include all phone numbers and email addresses for the dedicated team member(s).
The SRP must define triage steps to be coordinated with the security incident management team in a cooperative manner with the intended goal of swift security vulnerability mitigation. This step typically includes validating the reported vulnerability or compromise.
The SRP must include a defined process for identifying and testing mitigations prior to deployment. These details should include both short-term mitigations as well as the remediation process.
The SRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact to consumer, brand, and company. These response guidelines should be carefully mapped to level of severity determined for the reported vulnerability.
Each client is expected to have contact details of the Infinity Works Account Lead or Technical Lead or Principal Consulant.
Any exception to this policy must be approved by the ISMS Committee in advance and have a written record.
Details of non compliance should be referenced in the agreed Master Service Agreement with the relevant client.
None
None