Legal & Compliance
Roles, Responsibilities & Communication Channels
Effective: May 26, 2026 · Next review: May 26, 2027 · Pythias Technologies, LLC
1
This policy establishes Pythias Technologies' procedures for detecting, reporting, containing, and recovering from security incidents. It defines roles, responsibilities, and communication channels to ensure an organized, timely response that minimizes impact on clients, data, and operations.
This policy applies to all security incidents affecting Pythias systems, data, or personnel — including unauthorized access, data breaches, malware infections, service disruptions, and compromised credentials.
2
Active breach of Confidential or Restricted data; ransomware or destructive malware; full production service outage caused by an attack. Requires immediate response — 24/7.
Suspected unauthorized access to production systems; compromised admin credentials; significant data exposure. Response required within 4 hours.
Repeated failed authentication attempts suggesting brute force; suspicious API usage; non-production system compromise. Response within 24 hours.
Policy violations, phishing attempts (not clicked), vulnerability discovery with no evidence of exploitation. Response within 72 hours.
3
Incident Commander — Company Owner
Declares and closes incidents.
Makes containment decisions, including taking services offline.
Approves all external communications (client notifications, legal referrals).
Coordinates with legal counsel if required.
Technical Lead — Senior Developer or Technical Staff
Performs technical investigation and containment actions.
Identifies scope of impact and affected data.
Implements fixes and validates remediation.
Preserves evidence (logs, snapshots) without destroying artifacts.
All Employees & Contractors
Report any suspected incident immediately — do not investigate alone.
Do not take unilateral containment actions beyond logging out of affected systems.
Preserve evidence — do not delete files, logs, or emails related to the incident.
4
Phase 1 — Detection & Reporting
Any person detecting an incident or anomaly reports it immediately to the Incident Commander via direct phone call or text. Email alone is insufficient for Critical/High incidents. The initial report should include: what was observed, when, on which system, and by whom.
Phase 2 — Assessment
The Technical Lead assesses the incident within the timeframe set by its classification. Assessment determines: type of incident, systems and data affected, whether the incident is ongoing, and initial severity classification.
Phase 3 — Containment
Isolate affected systems if active compromise is confirmed (revoke credentials, restrict network access, take service offline if necessary).
Preserve logs and system state before making changes.
Block attack vectors (revoke compromised tokens, patch exploited vulnerabilities, ban attacking IPs).
Phase 4 — Eradication
Remove malicious artifacts, unauthorized accounts, or compromised configurations.
Rotate all potentially compromised credentials even if not yet confirmed as compromised.
Verify that the root cause has been addressed.
Phase 5 — Recovery
Restore services from known-good state (backups, clean deployments).
Monitor closely for 48 hours post-recovery for signs of re-compromise.
Incident Commander formally closes the incident once services are confirmed stable and secure.
Phase 6 — Post-Incident Review
A written post-incident review is completed within 14 days. It covers: timeline, root cause, impact, what went well, what to improve, and follow-up action items with owners and deadlines.
5
Internal reporting
Critical/High incidents: direct phone call to Incident Commander immediately.
Medium/Low incidents: report via email to [email protected] with "SECURITY INCIDENT" in the subject line, within 4 hours of discovery.
Client notification
Affected clients are notified within 72 hours of confirming a breach involving their data.
Notifications include: nature of the incident, data categories potentially affected, steps taken, and guidance for clients to protect themselves.
Notifications are sent from [email protected] to the primary contact on file for each affected client.
External / legal
Legal counsel is engaged for any incident involving Confidential data of 50 or more individuals, or any regulatory notification obligation.
Law enforcement is contacted at the Incident Commander's discretion for criminal incidents (extortion, unauthorized access).
6
During an incident, the following must be preserved and not modified: application logs, server access logs, authentication logs, network traffic captures (if available), and any files or database records involved in the incident. Logs are downloaded and stored in a secure, separate location as soon as an incident is declared. Evidence is retained for a minimum of 12 months post-incident or for the duration of any legal proceeding, whichever is longer.
7
This policy is reviewed annually (next review: May 26, 2027). A tabletop exercise simulating a data breach or compromise scenario is conducted at least once per year to verify response readiness.
© 2026 Pythias Technologies, LLC · All rights reserved
