Skip to main content

Incident Response Policy

Torvus Security's procedures for detecting, responding to, and recovering from security incidents.

Incident Response Overview​

Torvus Security maintains a comprehensive Incident Response Plan (IRP) to quickly detect, respond to, and recover from security incidents.

Incident Response Team​

Security Incident Response Team (SIRT):

  • Incident Commander: Security lead, overall coordination
  • Technical Lead: Technical investigation and remediation
  • Communications Lead: Customer and regulatory communication
  • Legal Counsel: Legal implications and compliance
  • Executive Sponsor: C-level oversight and decision authority

24/7 Coverage:

  • On-call rotation for critical incidents
  • PagerDuty integration for automated alerting
  • Escalation procedures for off-hours incidents

Incident Classification​

Severity Levels​

SeverityDescriptionResponse TimeExamples
P0 - CriticalActive data breach, service downLess than 15 minDatabase compromise, ransomware
P1 - HighPotential breach, major security eventLess than 1 hourUnauthorized access attempt, DDoS attack
P2 - MediumSecurity vulnerability, limited impactLess than 4 hoursVulnerability discovery, failed security control
P3 - LowMinor security event, no immediate riskLess than 24 hoursPhishing attempt, suspicious log entry

Incident Types​

Data Breach:

  • Unauthorized access to customer data
  • Data exfiltration or theft
  • Accidental data exposure

Service Disruption:

  • Denial of Service (DoS/DDoS) attack
  • System outage due to security incident
  • Ransomware or destructive malware

Unauthorized Access:

  • Compromised user account
  • Insider threat
  • Privilege escalation

Compliance Violation:

  • GDPR violation
  • CCPA violation
  • SOC 2 control failure

Incident Response Process​

Phase 1: Detection & Analysis​

Detection Methods:

  • Automated security monitoring (SIEM, IDS/IPS)
  • Anomaly detection (machine learning)
  • User reports (security@torvussecurity.com)
  • Third-party notifications (HackerOne, security researchers)
  • Internal audits and reviews

Initial Analysis:

  1. Triage: Assess severity and impact
  2. Scope: Determine affected systems and data
  3. Timeline: Establish incident timeline
  4. Evidence: Preserve logs and forensic data
  5. Classification: Assign severity level

Response Time SLAs:

  • P0 (Critical): Detection to response <15 minutes
  • P1 (High): Detection to response <1 hour
  • P2 (Medium): Detection to response <4 hours
  • P3 (Low): Detection to response <24 hours

Phase 2: Containment​

Short-Term Containment:

  • Isolate affected systems (network segmentation)
  • Disable compromised accounts
  • Block malicious IPs/domains
  • Preserve evidence (snapshots, logs)
  • Prevent lateral movement

Long-Term Containment:

  • Deploy patches and security updates
  • Implement additional monitoring
  • Rebuild compromised systems
  • Update security controls

Containment Checklist:

  • Isolate affected systems
  • Disable compromised credentials
  • Block attack vectors (IPs, domains, ports)
  • Preserve forensic evidence
  • Document all containment actions
  • Notify incident commander

Phase 3: Eradication​

Remove Threat:

  • Delete malware and backdoors
  • Close vulnerabilities exploited
  • Rebuild compromised systems from clean backups
  • Update security controls to prevent recurrence

Root Cause Analysis:

  • Identify how incident occurred
  • Determine initial access vector
  • Map attacker's timeline and actions
  • Identify gaps in security controls

Eradication Verification:

  • Scan for persistence mechanisms
  • Verify malware removal
  • Confirm vulnerability closure
  • Test security controls

Phase 4: Recovery​

Service Restoration:

  • Restore systems from clean backups
  • Gradually bring systems online
  • Monitor for signs of reinfection
  • Verify functionality and data integrity

Verification:

  • Confirm threat eradicated
  • Test security controls
  • Monitor for 30 days post-incident
  • Validate customer data integrity

Recovery Checklist:

  • Restore from clean backups
  • Verify system integrity
  • Reset all credentials
  • Update security policies
  • Resume normal operations
  • Continue enhanced monitoring

Phase 5: Post-Incident Activity​

Lessons Learned:

  • Conduct post-incident review (within 7 days)
  • Document incident timeline and response
  • Identify improvement opportunities
  • Update incident response procedures

Remediation:

  • Implement security improvements
  • Update runbooks and playbooks
  • Conduct security awareness training
  • Share lessons learned with team

Reporting:

  • Executive summary for leadership
  • Technical report for security team
  • Regulatory notifications (if required)
  • Customer communication (if affected)

Breach Notification​

Regulatory Requirements​

GDPR Breach Notification (EU Customers):

  • Timeframe: 72 hours from detection
  • Regulatory Authority: Notify local supervisory authority
  • Affected Individuals: Notify if high risk to rights and freedoms
  • Documentation: Detailed breach report

CCPA Breach Notification (California Residents):

  • Timeframe: Without unreasonable delay
  • Affected Individuals: Notify California residents
  • Attorney General: Notify if affecting 500+ residents
  • Content: Specific information required by law

State Data Breach Laws (US):

  • Varies by state (all 50 states have laws)
  • Generally require notification without unreasonable delay
  • Some states require specific timelines (e.g., 45 days)

Customer Notification​

When We Notify:

  • Personal data accessed by unauthorized party
  • Data integrity compromised
  • High risk to customer rights and freedoms
  • Regulatory notification required

How We Notify:

  • Email to account owner (primary method)
  • In-app notification
  • Blog post (for widespread incidents)
  • Status page update (status.torvussecurity.com)

What We Include:

  • Nature of the breach
  • Data types affected
  • Number of affected individuals
  • Potential consequences
  • Actions we've taken
  • Recommended actions for customers
  • Contact information for questions

Sample Notification:

Subject: Security Incident Notification

Dear Torvus Customer,

We are writing to inform you of a security incident that may have affected your account.

What Happened:
On October 5, 2025, we detected unauthorized access to a database containing user email addresses and account metadata. The incident was contained within 2 hours of detection.

What Information Was Involved:
- Email addresses
- Account creation dates
- Vault names (not contents)

What Information Was NOT Involved:
- Passwords (hashed with bcrypt)
- Vault documents (encrypted and not accessed)
- Payment information (stored separately, not affected)

What We're Doing:
- Incident fully contained and threat eradicated
- Enhanced monitoring and security controls implemented
- Law enforcement and regulatory authorities notified
- Independent security audit underway

What You Should Do:
1. Reset your Torvus password immediately
2. Enable two-factor authentication (if not already enabled)
3. Monitor your account for unusual activity
4. Be alert for phishing attempts using your email

For Questions:
Contact our security team at security@torvussecurity.com or call our incident hotline at 1-800-XXX-XXXX.

We sincerely apologize for this incident and are committed to earning back your trust.

Torvus Security Team

Incident Response Playbooks​

Playbook: Compromised Account​

Detection:

  • Multiple failed login attempts from unusual location
  • Login from impossible travel (US then Russia in 1 hour)
  • Unusual vault access patterns

Response:

  1. Immediately suspend account
  2. Force logout all sessions
  3. Notify account owner via verified channel (phone/SMS)
  4. Analyze login history and access logs
  5. If confirmed unauthorized: reset password, rotate API keys
  6. Investigate potentially exfiltrated data
  7. Monitor for 30 days post-incident

Playbook: Data Breach​

Detection:

  • Unauthorized database access
  • Large data export detected
  • Data found on dark web

Response:

  1. Immediately isolate affected systems
  2. Identify scope (what data, how many users)
  3. Preserve forensic evidence
  4. Eradicate threat (patch vulnerability, remove backdoors)
  5. Notify SIRT and executive team
  6. Determine regulatory obligations (GDPR, CCPA, etc.)
  7. Prepare customer notification
  8. Notify regulators within required timeframe
  9. Offer credit monitoring (if applicable)
  10. Conduct post-incident review and remediation

Playbook: DDoS Attack​

Detection:

  • Sudden spike in traffic
  • Service degradation or unavailability
  • Cloudflare DDoS alerts

Response:

  1. Activate DDoS mitigation (Cloudflare)
  2. Analyze attack vector (HTTP flood, SYN flood, etc.)
  3. Implement rate limiting and blocking rules
  4. Scale infrastructure if needed
  5. Communicate with customers via status page
  6. Monitor attack duration and effectiveness of mitigation
  7. Post-incident analysis and DDoS defense improvements

Playbook: Malware/Ransomware​

Detection:

  • Antivirus alert
  • Unusual file encryption activity
  • Ransom note discovered

Response:

  1. Immediately isolate infected systems (network disconnect)
  2. DO NOT pay ransom (Torvus policy)
  3. Identify malware variant and infection vector
  4. Assess backup integrity and recency
  5. Eradicate malware from all systems
  6. Restore from clean backups
  7. Patch vulnerability that allowed infection
  8. Monitor for reinfection (30 days)
  9. Report to law enforcement (FBI Internet Crime Complaint Center)

Communication Plan​

Internal Communication​

Incident Alert:

  • PagerDuty notification to on-call engineer
  • Slack incident channel creation (#incident-YYYY-MM-DD)
  • Executive notification (for P0/P1 incidents)

Status Updates:

  • Hourly updates during active incident
  • Daily updates during recovery phase
  • All-hands briefing post-incident

External Communication​

Customer Communication:

  • Initial notification (as soon as scope determined)
  • Regular updates during incident (every 4 hours for P0/P1)
  • All-clear notification when resolved
  • Post-incident summary (within 7 days)

Regulatory Communication:

  • GDPR notification within 72 hours (if applicable)
  • CCPA notification without unreasonable delay
  • State-specific breach notifications as required

Public Communication:

  • Status page updates (status.torvussecurity.com)
  • Blog post for significant incidents
  • Media statement (if high-profile incident)

Testing & Training​

Incident Response Drills​

Quarterly Tabletop Exercises:

  • Simulated security incident scenarios
  • Test communication and escalation procedures
  • Identify gaps in response plans

Annual Red Team Exercise:

  • Authorized simulated attack
  • Test detection and response capabilities
  • Measure response time SLAs

Training​

All Employees:

  • Annual security awareness training
  • Phishing simulation tests (quarterly)
  • Incident reporting procedures

SIRT Members:

  • Quarterly incident response training
  • Industry conference attendance
  • Certification maintenance (GCIH, GCFA, CISSP)

Contact Information​

Report a Security Incident​

Email: security@torvussecurity.com Phone: 1-800-XXX-XXXX (24/7 incident hotline) Emergency: Contact your customer success manager

PGP Public Key (for encrypted communication):

-----BEGIN PGP PUBLIC KEY BLOCK-----
[PGP Key would be here]
-----END PGP PUBLIC KEY BLOCK-----

Last Updated: October 8, 2025