Incident Response Plan

Verification Expired

Updated today

โ€ข

2 min read

Purpose

Define how Perfect Wiki detects, responds to, contains, recovers from, and learns from security and availability incidents.

Scope

Any actual or suspected event that could compromise the confidentiality, integrity, or availability of Perfect Wiki systems or customer data โ€” including data breaches, account compromise, denial of service, vendor incidents, and material service degradations.

Severity levels

  • SEV1 โ€” Critical: Confirmed data breach, full outage, or active attack. Immediate response, all hands.
  • SEV2 โ€” High: Partial outage, suspected breach, exploitable vulnerability discovered. Response within 1 hour.
  • SEV3 โ€” Medium: Degraded performance, low-severity vulnerability, vendor advisory affecting us. Response within 1 business day.
  • SEV4 โ€” Low: Single-user issue, informational alert. Response within 5 business days.

Process

  1. Detection. Alerts arrive from Sentry, cron-job check-ins, the status-page monitor, customer reports to [email protected], or vendor advisories.
  2. Triage. The CEO/CTO (incident commander by default) assigns a severity and creates an incident record (date, timeline, scope, impact, actions).
  3. Containment. Affected credentials are revoked, affected accounts disabled, affected components isolated, and exploit vectors blocked at the edge (Cloudflare) as appropriate.
  4. Eradication. Root cause is identified and fixed; patches are deployed; backdoors and unauthorized accounts are removed.
  5. Recovery. Affected systems are restored, integrity is verified, and monitoring is increased for a defined observation period.
  6. Notification. Affected customers are notified per the "Customer notification" section below. Regulators are notified within statutory deadlines (e.g., GDPR: 72 hours to the supervisory authority for personal data breaches).
  7. Post-incident review. Within 5 business days of resolution for SEV1/SEV2, a written post-mortem is produced (timeline, root cause, customer impact, corrective actions).

Customer notification

  • Confirmed personal-data breaches affecting a customer are communicated by email to the customer's admin contact without undue delay and in any case within 72 hours of confirmation, subject to law-enforcement constraints.
  • Material service incidents are posted on status page in near real time.

Roles & responsibilities

  • Incident Commander (CEO/CTO): Leads response and decides on customer/regulator notifications.
  • All personnel: Report suspected incidents immediately to [email protected].

Testing

This plan is exercised at least annually via a tabletop scenario and updated based on lessons learned.

Review cadence

Reviewed annually and after every SEV1 or SEV2 incident.

Related Articles

Was this page helpful?