<img src="https://d5nxst8fruw4z.cloudfront.net/atrk.gif?account=2LgIl1aQibl0vg" style="display:none" height="1" width="1" alt="">
Skip to content
English
Customer portal
Contact us
  • There are no suggestions because the search field is empty.

ManoByte, Inc. Incident Response Plan (IRP)

1. Purpose

The purpose of this Incident Response Plan is to provide a structured approach for detecting, responding to, and recovering from security incidents involving ManoByte’s individual devices (e.g., laptops, desktops) and access to cloud-based systems and services, including login credentials.

2. Scope

This plan applies to all employees, contractors, and third-party vendors who use ManoByte’s systems and have access to company devices, cloud environments, or external platforms such as HubSpot, Google Workspace, and 1Password.

3. Incident Response Phases

3.1 Preparation

  • Security Tools: Ensure that all company-issued devices have antivirus, firewalls, and other security software in place. Multifactor authentication (MFA) should be enabled for all cloud-based accounts.
  • Employee Training: Provide regular training on recognizing phishing attempts, securing login credentials, and reporting suspicious activities.
  • Backup Protocols: Regularly back up important files stored on individual computers or in cloud services to ensure data recovery in the event of a breach.

3.2 Identification

  • Monitoring: Monitor for signs of suspicious login attempts, unauthorized access to cloud accounts, and unusual activity on company devices (e.g., unexpected software installations or abnormal system behavior).
  • Incident Reporting: Employees must immediately report any suspicious activity, such as unexpected login alerts, phishing emails, or abnormal system behavior.
  • Indicators of Compromise (IoCs): Common signs of system breaches include:
    • Unauthorized access attempts or logins from unknown locations.
    • Unfamiliar activity in cloud accounts (e.g., file modifications or deletions).
    • Suspicious network traffic or large volumes of data being transferred unexpectedly.

3.3 Containment

  • Immediate Containment:

    • For individual devices: Disconnect the affected computer from the network to prevent further compromise.
    • For cloud-based accounts: Immediately reset the affected account’s passwords and revoke any unauthorized access or API tokens.
    • Temporarily disable affected accounts if needed, until the issue is fully investigated.

  • Short-Term Containment:

    • Ensure that MFA is enabled for all accounts, and force logouts from all devices where applicable.
    • Apply any security patches or fixes necessary to address vulnerabilities.

3.4 Eradication

  • Identify Root Cause: Determine whether the breach was caused by phishing, weak passwords, or a compromised device.
  • Cleanup:
    • For compromised devices: Run a full virus scan and remove any malware or suspicious software.
    • For compromised accounts: Audit account activity and revoke access to any unauthorized devices or users.
  • Security Patch: Ensure any software or security updates are applied to prevent the breach from recurring.

3.5 Recovery

  • Password Reset and Access Review: Reset passwords for all compromised accounts and review access controls to ensure that only authorized users can access cloud systems and data.
  • Monitor for Recurrence: Continue to monitor account logins and device activity for signs of further compromise.
  • Restoration: Restore any deleted or compromised files from backups and ensure that all systems are functioning securely before returning to normal operation.

3.6 Lessons Learned

  • Post-Incident Review: Conduct a review to determine the effectiveness of the response and whether there are any gaps in security practices or employee training.
  • Documentation: Record all steps taken during the incident, including identification, containment, eradication, and recovery.

4. Roles and Responsibilities

  • Incident Response Lead: The designated person (e.g., IT or Security Lead) responsible for managing the response and coordinating containment and recovery actions.
  • IT Support: Executes containment actions, such as isolating compromised devices and resetting passwords.
  • Employee Responsibility: All employees are required to report suspicious emails, login attempts, or other signs of account compromise.
  • VP of Solutions: Responsible for overseeing escalated incidents, particularly if the breach affects multiple systems or clients.

5. Client and Regulatory Notifications

  • Client Notifications: If a breach affects client systems or data (e.g., through compromised access to cloud-based services like HubSpot), clients must be informed promptly. Notifications will include:

    • A description of the incident.
    • Steps taken to resolve the issue and mitigate future risk.
    • Any recommended actions for the client (e.g., resetting passwords, monitoring accounts).

  • Regulatory Notifications: If required by law (e.g., GDPR, CCPA, FIPA), report the breach to relevant authorities within the required timeframe (e.g., 72 hours for GDPR).

6. Incident Documentation and Reporting

  • Incident Log: Record all security incidents, including the time and nature of the breach, containment steps, and resolution.
  • Reports: A final report will be compiled after resolving the breach, outlining the root cause, containment, and recovery actions taken, along with recommendations for improving security measures.

7. Review and Update

  • Annual Review: This plan will be reviewed annually to ensure it remains effective and relevant to any changes in technology or security threats.