Skip to main content

Incident Response Plan & Policies

This section offers guidance for Team Members and Incident Responders who believe they have discovered or are responding to a security incident.

Escalation

  • submit a security-related ticket with severity to the WeSalute Help Center

  • email WeSalute Security at security@wesalute.com or message #it-security-compliance on Slack

  • Include as many specifics and details as you can.

Severity

Severity LevelDescriptionExamplesRemediation
Low or Medium SeverityMost issues fall under this category. These do not require someone to be paged or woken up in the middle of the night.Suspicious emails, outages, strange activity on a workstationsubmit a security-related ticket with severity to the WeSalute Help Center
High SeverityThese are problems where an adversary or active exploitation hasn’t been proven yet, and an attack may not have happened but is likely to happen.Backdoors, malware, malicious access of business data (e.g. passwords, payment information, vulnerability data, etc.)submit a security-related ticket with severity to the WeSalute Help Center, ping #it-security-compliance on Slack, email WeSalute Security at security@wesalute.com
Critical SeverityThe attackers were successful, and something was lost.User data on the dark webemail to security@wesalute.com, @channel notification to #it-security-compliance on Slack

  • Internal Issues

When the malicious actor is an employee, contractor, vendor, or partner, please contact the WeSalute Security Team directly. Do not discuss the issue with other employees.

Compromised Communications

If there are IT communication risks (i.e. company phones, laptops, email accounts, etc. are compromised) the team will announce an out-of-band communication tool with voice phone calls. Starting with a conference line.

Response Steps

For critical issues, the response team will follow an iterative response process designed to investigate, contain the exploitation, remediate the vulnerability, and write post mortem and lessons learned documents.

  1. The WeSalute Security Team should determine if a lawyer should be involved with attorney-client privileges. WeSalute LegalOps will be contacted for advisement.

  2. A "War Room" will be designated.

  3. The following meeting will take place at regular intervals, starting with twice per day, until the incident is resolved.

Response Meeting - Agenda

  • Update the Breach Timeline with all known data related to the incident. The timeline should detail what you're sure the attacker did at what times.

  • Review new Indicators of Compromise with the entire group. Indicators of Compromise are anything you know belongs to the attacker:

    • IP address that sent data

    • compromised account(s)

    • malicious file(s) used to spear phish, etc.

  • Add new data (knowns and unknowns to the Investigative Q&A, which is a list of questions to which, if you had answers, you'd understand everything the attacker did.

  • Update the list of Emergency Mitigations:

    • passwords to be reset

    • workstations to be wiped

    • IPs to be banned, etc.

  • Long Term Mitigations (including Root Cause Analysis): recording everything you'll be start doing so this crisis doesn't happen again.

  • Everything Else: communications, legal issues, blog posts, status pages, etc.

External Resources

Required Retrospective

All incidents classified as "High" or above require a retrospective meeting and a "lessons learned" document.

Follow-ups must be completed

All incidents classified as "High" or above require follow-ups to be tasked in a task tracker and completed with a pre-defined time period.

Policy Review, Disciplinary, & Responsibility

Disciplinary Action

Team Members who violate this policy may face disciplinary consequences in proportion to their violation. WeSalute ExecutiveOps will determine how serious a Team Member's offense is and take the appropriate actions.

Responsibility

The WeSalute Security Team is responsible for ensuring this policy is followed.

warning

This Policy currently does not have the required policy footer content standard on WeSalute Policies. This may be intentional by the nature of the content.