Psychnex's documented procedures for detecting, containing, eradicating, and recovering from security incidents. Aligned with NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide).
6
Response Phases
6
IRT Roles Defined
6
Incident Runbooks
NIST 800-61
Framework Alignment
This Incident Response Plan (IRP) covers all security incidents affecting Psychnex production systems, user data, and platform services. It is a required control under NIST SP 800-53 IR-1 through IR-10 (Incident Response family), GLBA Safeguards Rule §314.4(e), and the FedRAMP Moderate baseline. This is the public summary of the IRP; the full internal IRP includes contact details, specific tool credentials, and system-specific runbooks that are not published externally.
Aligned with: NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide) · CISA Incident Handling Guide · NIST SP 800-137 (Information Security Continuous Monitoring)
Click each phase to expand detailed activities and procedures.
Declares the incident severity. Coordinates IRT. Makes final decisions on containment, notification, and recovery. Single point of authority during active incident.
Activated For
All P1 incidents. P2 at IC discretion.
Backup
VP Engineering
Leads technical investigation, containment, and eradication. Owns the audit_log forensics and attack vector analysis. Coordinates with Supabase support if infrastructure-level assistance is needed.
Activated For
All P1 / P2 incidents.
Backup
Senior Backend Engineer
Drafts and sends all external communications: user notifications, regulatory filings, press statement, status page updates. Ensures notifications are sent on schedule. No external communications sent without IC approval.
Activated For
All P1 / P2 incidents requiring user or regulatory notification.
Backup
Chief Marketing Officer
Reviews all regulatory notification drafts. Advises on applicable notification deadlines. Engages law enforcement if criminal activity is suspected. Manages attorney-client privilege over investigation materials.
Activated For
All P1 incidents. P2 when regulatory notification threshold is met.
Backup
Outside Counsel on Retainer
Receives P1 briefing within 1 hour. Approves any communication affecting company reputation or major financial remediation. Signs off on formal regulatory notifications. Notifies board for significant incidents.
Activated For
P1 incidents. P2 if media or regulatory attention is likely.
Backup
Board Chair
Maintains real-time incident log with timestamp of every action, decision, and communication. Drafts Post-Incident Report. Archives all incident artifacts for 3-year retention.
Activated For
All P1 / P2 incidents.
Backup
Operations Manager
Detection Signals
Failed auth spike in audit_log; auth from unusual geolocation; MFA bypass attempt
Immediate Actions
Force-terminate user sessions; lock affected accounts; rotate all API keys; notify user immediately
Regulatory Trigger
Evaluate scope — if NPI accessed: GLBA/CCPA notification thresholds apply
Detection Signals
Anomalous SELECT query volume; high data export event count; unusual API call patterns in Edge Function logs
Immediate Actions
Enable read-only RLS; revoke API keys; forensic audit_log export before any changes; estimate scope
Regulatory Trigger
GLBA (NPI), CCPA (PII), GDPR (EU/EEA users), COPPA (youth) — 72-hr notification timeline begins
Detection Signals
Vendor breach notification received; anomalous behavior in vendor-integrated features; vendor status page incident
Immediate Actions
Revoke all vendor API keys and tokens immediately; evaluate blast radius on Psychnex user data; invoke VRM offboarding procedure
Regulatory Trigger
Psychnex remains the data controller — if user data was exposed via vendor, Psychnex notification obligations apply
Detection Signals
Anomalous admin activity in audit_log; access to data outside role scope; bulk data export by staff account
Immediate Actions
Immediately revoke access for suspected staff account; preserve all audit evidence; engage legal counsel; HR notification
Regulatory Trigger
Same regulatory triggers as data exfiltration — determined by data type accessed
Detection Signals
Edge Function error rate surge; Supabase API timeout spike; WAF rate-limit trigger volume
Immediate Actions
Activate WAF DDoS mitigation rules; rate-limit affected endpoints; coordinate with Supabase infrastructure team; status page update
Regulatory Trigger
NIS2 significant impact threshold evaluation; no user data notification unless data accessed
Detection Signals
Unusual database modification patterns; mass record deletion; encrypted file indicators
Immediate Actions
Isolate affected systems immediately; initiate Supabase PITR recovery evaluation; engage law enforcement (FBI IC3); do NOT pay ransom without legal counsel
Regulatory Trigger
FBI IC3 report; CISA notification; evaluate GLBA/CCPA breach thresholds for affected data
| Severity | Who is Notified | Within | Bridge |
|---|---|---|---|
| P1 | On-call Security → Incident Commander → Executive Sponsor → Legal Counsel → Board (if material) | 15 min / 1 hr / 1 hr / 1 hr / 4 hrs | All-hands IRT bridge opened immediately |
| P2 | On-call Security → Incident Commander → Legal (if notification threshold met) | 1 hr / 2 hrs / 4 hrs | IRT bridge on IC decision |
| P3 | On-call Security → Security Lead (next business day) | 4 hrs / NBD | No bridge — Slack channel |
| P4 | Security team — logged for weekly review | NBD | No bridge — ticket only |
Report suspected security incidents immediately. Our security team operates 24/7 for P1 events with a 15-minute acknowledgment SLA.
Privacy & Consent