johan
/
dealspace
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dealspace/docs/soc2/incident-response-plan.md

7.1 KiB
Raw Permalink Blame History

Incident Response Plan

Version: 1.0 Effective: February 2026 Owner: Johan Jongsma Review: Annually

1. Purpose

Define procedures for detecting, responding to, and recovering from security incidents affecting Dealspace systems or deal data.

2. Scope

All Dealspace systems:

  • Production (muskepo.com / 82.24.174.112)
  • Deal data (financial documents, transaction details, participant information)

3. Incident Classification

Severity Definition Response Time Examples
Critical Active breach, data exfiltration, system compromise Immediate (< 1 hour) Unauthorized deal data access, ransomware, credential theft
High Potential breach, service outage, vulnerability exploited < 4 hours Failed intrusion attempt, DDoS, authentication bypass
Medium Suspicious activity, policy violation < 24 hours Unusual access patterns, failed login spikes
Low Minor issue, no data at risk < 72 hours Reconnaissance scans, policy clarification needed

4. Contact Information

Primary Contact

Role Name Email Phone
Incident Commander Johan Jongsma security@muskepo.com Signal: +31 XXX

External Contacts

Service Contact
Legal Counsel To be established
Cyber Insurance To be established
Law Enforcement Local police non-emergency

Notification Addresses

Purpose Address
Security incidents security@muskepo.com
Client support support@muskepo.com

5. Detection

Automated Detection

  • Rate limiting: Flags excessive requests
  • Access logging: All data access logged
  • Anomaly detection: Unusual access patterns flagged
  • Authentication monitoring: Failed login tracking

Manual Detection

  • Client reports of unauthorized access
  • Unexpected system behavior
  • External notification (security researcher, vendor)

Indicators of Compromise

  • Unexpected admin access or privilege escalation
  • Unusual database queries or data exports
  • New or modified files outside deployment
  • Outbound connections to unknown hosts
  • Authentication anomalies

6. Response Procedures

Phase 1: Identification (0-30 minutes)

  1. Acknowledge alert - Confirm incident is real, not false positive
  2. Classify severity - Use classification table above
  3. Document - Start incident log with timestamp, initial observations
  4. Assess scope - What systems/deal data potentially affected

Phase 2: Containment (30 min - 2 hours)

Immediate containment:

# Block suspicious IP
sudo ufw deny from <IP>

# If compromise confirmed, consider service isolation
ssh root@82.24.174.112 "systemctl stop dealspace"

# Preserve logs before any changes
ssh root@82.24.174.112 "cp -r /var/log /opt/dealspace/incident-$(date +%Y%m%d)/"

Short-term containment:

  • Preserve evidence (copy logs before rotation)
  • Identify scope (what deals/data affected)
  • Prevent lateral movement

Phase 3: Eradication (2-24 hours)

  1. Identify root cause - How did attacker get in?
  2. Remove threat - Malware, backdoors, unauthorized accounts
  3. Patch vulnerability - Fix the entry point
  4. Verify clean - Confirm no persistence mechanisms

Phase 4: Recovery (24-72 hours)

  1. Restore from backup if needed (see Disaster Recovery Plan)
  2. Verify integrity - Check data hasn't been modified
  3. Monitor closely - Watch for re-compromise
  4. Gradual restoration - Bring services back incrementally

Phase 5: Lessons Learned (1-2 weeks post-incident)

  1. Post-mortem - What happened, timeline, decisions made
  2. Update documentation - Improve detection/response
  3. Implement improvements - Technical and procedural changes
  4. Final report - Document for compliance records

7. Communication

Internal Communication

  • Document all decisions with timestamps
  • Keep incident log updated
  • Use secure communication channels

External Communication

To affected clients (if deal data breach confirmed):

  • Notify within 72 hours (GDPR requirement)
  • Include: What happened, what data affected, what we're doing, what they should do
  • Template in Appendix A

To regulators (if required):

  • GDPR: Supervisory authority within 72 hours
  • FADP: Swiss DPA notification as required

8. Evidence Preservation

Preserve immediately:

  • System logs
  • Database state (backup)
  • Network traffic captures (if available)
  • Screenshots of anomalies

Chain of custody:

  • Document who accessed evidence and when
  • Store copies in secure, separate location
  • Hash files to prove integrity: sha256sum <file>

9. Specific Scenarios

Scenario: Unauthorized Deal Data Access

  1. Identify which project(s) accessed
  2. Check audit logs for access scope
  3. Determine if data was exfiltrated
  4. Notify affected clients within 72 hours
  5. Document for compliance

Scenario: Ransomware

  1. Immediately isolate affected systems (network disconnect)
  2. Do NOT pay ransom
  3. Assess backup integrity
  4. Restore from clean backup
  5. Report to law enforcement

Scenario: DDoS Attack

  1. Enable additional rate limiting
  2. Block attacking IP ranges via UFW
  3. Contact Hostkey if upstream filtering needed
  4. Document attack characteristics

Scenario: Vulnerability Disclosure

  1. Acknowledge receipt to researcher within 24 hours
  2. Validate the vulnerability
  3. Develop and test fix
  4. Deploy fix
  5. Thank researcher, coordinate disclosure timing

10. Recovery Time Objectives

Scenario RTO RPO
Hardware failure 4 hours 24 hours
Data corruption 2 hours 24 hours
Security breach 24 hours 0 (no data loss acceptable)
Complete site loss 48 hours 24 hours

Appendix A: Client Notification Template

Subject: Security Notice from Dealspace

Dear [Client],

We are writing to inform you of a security incident that may have affected
data associated with your organization on the Dealspace platform.

WHAT HAPPENED
[Brief description of incident and date discovered]

WHAT INFORMATION WAS INVOLVED
[Types of data potentially affected - e.g., deal documents, participant info]

WHAT WE ARE DOING
[Steps taken to address the incident and prevent recurrence]

WHAT YOU CAN DO
[Recommended actions - e.g., notify deal participants, review access logs]

FOR MORE INFORMATION
Contact us at security@muskepo.com if you have questions.

We sincerely apologize for any concern this may cause.

Johan Jongsma
Founder, Dealspace

Appendix B: Incident Log Template

INCIDENT ID: INC-YYYY-MM-DD-001
SEVERITY: [Critical/High/Medium/Low]
STATUS: [Active/Contained/Resolved]

TIMELINE
- YYYY-MM-DD HH:MM - Initial detection
- YYYY-MM-DD HH:MM - [Action taken]
- YYYY-MM-DD HH:MM - [Action taken]

DESCRIPTION
[What happened]

AFFECTED SYSTEMS
[List systems]

AFFECTED DATA
[Description of data, deals/clients if known]

ROOT CAUSE
[How it happened]

RESOLUTION
[How it was fixed]

LESSONS LEARNED
[Improvements identified]

REPORTED BY: [Name]
RESOLVED BY: [Name]

Document end