Incident Response
Onesurance maintains a 24/7 incident response process to rapidly detect, contain and resolve security incidents. Our Incident Response Team operates under the leadership of the Data Protection Officer and follows a structured 6-step process.
Incident Response at a Glance
- 24/7 availability — Continuous monitoring and response, around the clock
- <1 hour P1 response time — Critical incidents addressed within 1 hour
- 6-step process — From detection to closure, fully documented
- IRT led by DPO — Incident Response Team directed by the Data Protection Officer
Incident Response Process
Our incident response process consists of six clearly defined phases. Every security incident progresses through these phases to ensure rapid, effective and documented resolution. The Incident Response Team (IRT) is activated for every confirmed incident and operates under the leadership of the Data Protection Officer.
6-Step Incident Response Process
Incidents are detected through multiple channels and escalated immediately.
- 24/7 automated monitoring — Azure Security Center, SIEM and anomaly detection run continuously
- Reporting channels — Employees, clients and third parties can report incidents via phone, email or internal ticketing system
- FOR P1 CALL FIRST — When a critical incident (P1) is suspected, always contact the DPO by phone first, then follow up in writing
Every reported incident is assessed for severity and impact by the designated coordinator.
- Incident coordinator — The DPO or designated deputy assumes coordination
- Severity classification — Incidents are classified as P1 (Critical), P2 (High), P3 (Medium) or P4 (Low)
- IRT activation — For P1 and P2 incidents, the full Incident Response Team is activated
Immediate measures to limit damage and prevent further propagation.
- Firewall rules — Block suspicious traffic and attack vectors through firewall adjustments
- Isolation — Affected systems are isolated from the network to prevent lateral movement
- Preserve logs — All relevant logs and evidence are secured for forensic investigation
In-depth investigation into the cause, scope and impact of the incident.
- Root cause analysis — Determine the underlying cause of the incident
- Attack methodology — Identification of the attack technique and vector used
- Timeline — Reconstruction of the full incident timeline, from initial compromise to detection
Systems are restored to a secure, operational state.
- Patching — Vulnerabilities are patched and security updates applied
- Malware removal — Removal of malicious software and backdoors
- Clean backups — Restoration from verified, clean backups
- Reset credentials — All potentially compromised passwords and keys are reset
- 48-hour monitoring — After recovery, systems are intensively monitored for at least 48 hours for recurring activity
The incident is formally closed and all lessons are documented.
- Incident report — Complete report with timeline, impact, root cause and measures taken
- Lessons learned — Evaluation session with the IRT to identify areas for improvement
- Procedure updates — Updates to procedures, policies and technical controls based on findings
Severity Levels & Response Times
Every incident is classified based on severity and impact. The classification determines the response time, escalation level and available resources.
| Level | Response Time | Resolution Time | Examples | Escalation |
|---|---|---|---|---|
| Critical P1 | <1 hour | <48 hours | Active data breach, ransomware attack, full system compromise | Phone immediately — DPO + executive team |
| High P2 | <4 hours | <72 hours | Potential data breach, unauthorised access to production systems | Phone + email — DPO |
| Medium P3 | <1 business day | <20 business days | Suspicious activity, phishing attempt with click, production vulnerability | Email — DPO |
| Low P4 | Scheduled | <3 months | Failed login attempts, blocked malware, informational security alerts | Ticketing system |
Incident Response Contacts
In the event of a security incident, please contact the individuals listed below. For a P1 incident, always reach out by phone first.
Data Protection Officer
Menno Kooistra
Email: dpo@onesurance.ai
DPO Email: dpo@onesurance.ai
Primary contact
Testing & Exercises
The incident response plan is tested regularly to ensure effectiveness and keep the team well-prepared.
Annual Tabletop Exercises
At least once per year, the IRT conducts a tabletop exercise. A realistic incident scenario is walked through without actual system impact, to validate decision-making and communication processes.
Scenario Testing
Specific scenarios such as ransomware, data breach and insider threat are simulated. After each exercise, findings are documented and the incident response plan is updated accordingly.
SECURITY INCIDENT EMERGENCY?
In case of an active security incident, contact us by phone immediately:
Email: dpo@onesurance.aiData Protection Officer — Menno Kooistra
Questions about Incident Response?
Our Data Protection Officer is happy to assist with questions about our incident response process, security notifications or escalation procedures.