Search the documentation...

Operation

Incident Response

Incident Response

GDPR

Compliant

DORA

Compliant

ISO 27001

Q1 2026

Key security principles at Onesurance

End-to-end encryption for all data in transit and at rest

Multi-factor authentication required for all users

24/7 security monitoring with automated incident detection

Data residency within the EU (Azure West Europe)

ISO 27001 certification in preparation (target Q1 2026)

End-to-end encryption for all data in transit and at rest

Certifications and Standards

Onesurance to the highest security and compliance standards in the financial sector. Below you will find an overview of our current certifications and roadmap.

Certification

Description

Status

TRUST CENTER - INCIDENT RESPONSE

Onesurance Response Procedures
Last updated: December 2024

Our Commitment

At Onesurance , we Onesurance that security incidents can happen despite the best preventive measures. That is why we have a comprehensive incident response program that ensures we can respond quickly, effectively, and transparently to any security incident. Our goal is to minimize the impact, recover quickly, and learn from every incident.

Incident Response Team (IRT)

Team Structure

Incident Response Manager

  • Role: Overall responsible for incident response

  • Responsibilities: Coordination, decision-making, escalation

  • Availability: 24/7 via phone and email

Security Lead

  • Role: Technical management during security incidents

  • Responsibilities: Technical analysis, containment, eradication

  • Expertise: Security tools, forensics, threat intelligence

Technical Operations

  • Role: System and infrastructure support

  • Responsibilities: System access, configuration changes, recovery

  • Team: On-call rotation, 24/7 availability

Communications Lead

  • Role: Internal and external communication

  • Responsibilities: Stakeholder updates, customer communication, regulatory notification

  • Collaboration with: Legal, management, PR

Legal/Compliance

  • Role: Legal and compliance aspects

  • Responsibilities: Regulatory obligations, contractual requirements, legal implications

  • Contact person: Data Protection Officer (DPO)

Management/Executive

  • Role: Strategic oversight and decision-making

  • Responsibilities: Resource allocation, policy decisions, external escalation

  • Involvement: In P1 (Critical) incidents

Training & Preparedness
• Quarterly tabletop exercises: Scenario-based incident response drills
• Annual full-scale exercise: Full IR simulation with all teams
• Role-specific training: Dedicated training per IR role
• Runbook reviews: Regular updates of procedures
• Post-incident reviews: Lessons learned after each incident

Incident Classification

Severity Levels

P1 - Critical

  • Definition: Complete service outage, data breach, ransomware

  • Impact: All or multiple customers affected, high risk

  • Response time: Immediate (within 15 minutes)

  • Escalation: Directly to management and executive team

  • Communication: Hourly updates, external communication possible

P2 - High

  • Definition: Significant degradation, unauthorized access attempts

  • Impact: Multiple customers or critical functionality affected

  • Response time: Within 1 hour

  • Escalation: To IR Manager, possibly to management

  • Communication: Updates every 4 hours

P3 - Medium

  • Definition: Limited degradation, policy violations, suspicious activity

  • Impact: Some customers or non-critical features affected

  • Response time: Within 4 hours

  • Escalation: Inform IR team, management

  • Communication: Daily updates

P4 - Low

  • Definition: Minor issues, informational security events

  • Impact: No significant impact on customers or services

  • Response time: Within 1 business day

  • Escalation: Not required, unless pattern

  • Communication: Weekly summary reports

Incident Types

Security Incidents

  • Data breach / unauthorized access

  • Malware / ransomware

  • DDoS attacks

  • Exploitation of vulnerabilities

  • Insider threats

  • Social engineering

Operational Incidents

  • Service interruptions

  • Performance degradation

  • Configuration errors

  • Hardware failures

  • Network issues

Compliance Incidents

  • Privacy violations

  • Policy non-compliance

  • Regulatory violations

  • Breaches of contract

Incident Response Process

6-Step Framework

1. Preparation
Constant state of readiness:
• Incident response plan up-to-date
• Tools and resources available
• Team trained and roles clear
• Contact lists up-to-date
• Runbooks documented

2. Detection & Identification
How we detect incidents:
• Automated alerting: Security tools (SIEM, IDS/IPS)
• Monitoring: 24/7 SOC monitoring
• User reports: Customer or employee reports
• Third-party notification: Vendor, researcher, regulator

Initial triage (within 15 minutes for P1):

  • What's happening?

  • Which systems are affected?

  • How many customers/users are affected?

  • What is the severity?

  • Is it still active?

3. Containment
Goal: Stop the spread, minimize damage

Short-term containment (immediate):

  • Isolate affected systems

  • Block malicious IPs/domains

  • Disable compromised accounts

  • Activate backup systems if necessary

  • Preserve forensic evidence

Long-term containment (hours-days):

  • Implement compensating controls

  • Apply security patches

  • Strengthen monitoring

  • Prepare for eradication

4. Eradication
Goal: Remove the threat completely

Actions:

  • Remove malware/backdoors

  • Close vulnerabilities

  • Reset compromised credentials

  • Rebuild affected systems if necessary

  • Apply security hardening

  • Verify no residual threat

Verification:

  • Security scans

  • Log analysis

  • Testing

  • Sign-off from Security Lead

5. Recovery
Goal: Restore normal operations safely

Phased approach:

  • Restore from clean backups if necessary

  • Rebuild systems with security controls

  • Gradually restore services

  • Enhanced monitoring

  • Customer communication regarding restoration

Validation:

  • Functionality testing

  • Security verification

  • Performance testing

  • User acceptance

6. Post-Incident Analysis
Goal: Learn and improve

Timeline: Within 5 business days after closure

Post-Incident Review meeting:

  • What exactly happened?

  • How was it detected?

  • Was the response effective?

  • What went well?

  • What could be improved?

  • Action items for improvement

Documentation:

  • Incident timeline

  • Actions taken

  • Lessons learned

  • Recommendations

  • Update runbooks

Communication During Incidents

Internal Communication

Incident Channel
• Platform: Microsoft Teams dedicated channel
• Participants: IR team, management, relevant stakeholders
• Updates: Regularly, especially when there are status changes
• Format: Structured updates with time, status, actions, next steps

Escalation Path
Level 1: IR Manager
Level 2: CTO / Management
Level 3: Executive team / Board

Status Updates

  • P1: Every hour

  • P2: Every 4 hours

  • P3: Daily

  • P4: In case of significant changes

External Communication

Customers
• When: For P1/P2 incidents that impact customers
• Method: Email, status page, in-app notifications
• Content:

  • What's going on?

  • What impact (which customers/features)

  • What are we doing about it?

  • Next update timing
    • Tone: Transparent, empathetic, factual
    • Approval: By Communications Lead and Management

Status Page
• URL: onesurance
• Real-time updates: Green / Yellow / Red status
• Incident history: Publicly available
• Subscribe: Email/SMS notifications available

Regulatory Notification
• Dutch Data Protection Authority (AP): Within 72 hours of a data breach
• Other regulators: Per regulatory requirement (DORA, etc.)
• Format: Official notification form
• Responsible: FG / Legal team

Media & PR
• Involvement: In high-profile incidents
• Approval: Executive team
• Spokesperson: Designated company representative
• Message: Consistent with customer communication

Data Breach Details

GDPR Data Breach Notification

Assessment Criteria
• Has personal data been compromised?
• What is the nature and scope?
• What are the possible consequences for those involved?
• Are there mitigating measures?
• Does this result in a risk to rights and freedoms?

Notification Timeline
• Internal notification: Immediate (within 1 hour)
• Assessment: Within 4 hours
• Dutch Data Protection Authority: Within 72 hours (if required)
• Data subjects: Without undue delay (if high risk)

Notification Content - Supervisory authority
• Nature of the breach
• Categories and number of data subjects
• Categories and number of data files
• Possible consequences
• Measures taken/proposed
• Contact details of the Data Protection Officer

Notification to Data Subjects
When required:

  • High risk to rights and freedoms

  • For example: identity theft, financial claim, damage to reputation

Contents:

  • Description of data breach in plain language

  • Contact details FG

  • Possible consequences

  • Measures taken/proposed

  • Recommendations for the person concerned

Documentation
• Incident log: All data breaches recorded
• Details: Nature, consequences, measures
• Retention: Minimum 3 years
• Availability: For supervisory authority upon request

Incident Response Tools

Detection & Monitoring
• Azure Sentinel: SIEM, threat detection
• Azure Security Center: Posture management
• Azure Monitor: Logs and metrics
• Application Insights: Application performance

Analysis & Investigation
• Log Analytics: Query and analysis
• Network Watcher: Network traffic analysis
• Azure Defender: Threat intelligence
• Forensic tools: Evidence collection

Containment & Remediation
• Azure Firewall: Network blocking
• NSG rules: Access restriction
• Identity Protection: Account disable
• Backup & Restore: System recovery

Communication
• Microsoft Teams: Internal coordination
• Status page platform: External updates
• Email automation: Customer notifications
• Ticketing system: Incident tracking

Third-Party Support

External Resources
• Microsoft Azure Support: 24/7 support contract
• Security incident response: External DFIR firm (on retainer)
• Legal counsel: Privacy and security lawyers
• PR firm: Crisis communication (if necessary)
• Forensics: Digital forensics specialists

When to Engage
• P1 incidents with complex analysis
• Suspected advanced persistent threat (APT)
• Legal/regulatory complexity
• Media attention / reputation risk
• Forensic evidence for legal action

Metrics & Reporting

Key Metrics
• Mean Time to Detect (MTTD): Average time to detection
• Mean Time to Respond (MTTR): Average time to initial response
• Mean Time to Resolve (MTTR): Average time to closure
• False positive rate: % false positive alerts
• Escalation rate: % incidents escalated
• Repeat incidents: Same root cause

Regular Reporting
• Weekly: Incident summary to management
• Monthly: Metrics dashboard, trends
• Quarterly: Board report with key incidents
• Annual: Comprehensive IR program review

Post-Incident Report Format

  1. Executive summary

  2. Incident timeline

  3. Impact assessment

  4. Root cause analysis

  5. Response effectiveness

  6. Lessons learned

  7. Action items

  8. Recommendations

Testing & Exercises

Tabletop Exercises
• Frequency: Quarterly
• Scope: Scenario-based discussion
• Participants: IR team, key stakeholders
• Scenarios: Data breach, ransomware, DDoS, insider threat
• Duration: 2-3 hours
• Output: Lessons learned, runbook updates

Full-Scale Exercises
• Frequency: Annual
• Scope: Live simulation, full IR activation
• Participants: Full IR team, management, select customers
• Scenario: Realistic, complex incident
• Duration: 4-8 hours
• Output: Comprehensive report, improvement plan

Purple Team Exercises
• Frequency: Semi-annual
• Scope: Red team (attack) + Blue team (defense) collaboration
• Objective: Test detection and response capabilities
• Method: Simulated attacks, real-time response
• Output: Gaps identified, improvements implemented

Customer Support During Incidents

Dedicated Support
• Incident hotline: Dedicated number during major incidents
• Priority support: Escalated handling
• Status updates: Direct communication
• Post-incident debrief: Offered to affected customers

Customer Responsibilities
• Report suspicious activity: Via onesurance
• Cooperate with investigation: If relevant
• Follow guidance: Security recommendations
• Update contacts: Keep contact details current

Continuous Improvement

Regular Reviews
• Monthly: IR metrics review
• Quarterly: Runbook updates
• Semi-annual: Full IR plan review
• Annual: Comprehensive program assessment

Improvement Sources
• Post-incident analysis
• Exercise findings
• Industry best practices
• Threat landscape changes
• Technology updates
• Regulatory changes

Updates & Training
• Runbook updates: After each incident and exercise
• Tool updates: Regular evaluation of IR tools
• Training: Ongoing, role-specific
• Awareness: Company-wide security awareness

Contact

For security incidents and reporting:
• 24/7 Security Hotline: onesurance
• Security Email: onesurance
• Responsible Disclosure: onesurance
• Data Protection Officer: onesurance

Last updated: December 2024
Onesurance .V. | Breda, Netherlands | Chamber of Commerce: 87521997