Incident Response Guide
Comprehensive guide to developing and implementing an incident response plan, including procedures, templates, and regulatory requirements for South African organizations.
Incident Response Phases
Preparation
- Develop incident response policy
- Establish incident response team
- Conduct tabletop exercises
- Implement monitoring tools
Identification
- Detect security incidents
- Analyze logs and alerts
- Classify incident severity
- Document initial findings
Containment
- Short-term containment
- Long-term containment
- Isolate affected systems
- Preserve evidence
Eradication
- Remove malware/rootkits
- Patch vulnerabilities
- Update security controls
- Validate system integrity
Recovery
- Restore systems/services
- Monitor for re-infection
- Validate recovery
- Communicate with stakeholders
Lessons Learned
- Conduct post-incident review
- Update IR plan
- Improve defenses
- Train staff
Regulatory Requirements
| Regulation | Requirement | Deadline | Penalty |
|---|---|---|---|
| POPIA | Notify regulator and data subjects of breaches | Within 72 hours | R10M or 10 years imprisonment |
| Cybercrimes Act | Preserve data for law enforcement | Upon request (90 days) | Criminal prosecution |
| SARB Guidance | Report incidents to SARB (financial sector) | Within 24 hours | Regulatory action |