WiBiz Incident Response Plan
Document: WiBiz_Incident_Response_Plan_v1.0
Owner: Digital Benefits Pte Ltd
Classification: Internal -- Confidential
Version: v1.0
Effective Date: 15 April 2026
Review Cycle: Annual (next review: April 2027)
1. Incident Classification
| Priority | Severity | Examples | Response Time |
|---|---|---|---|
| P1 -- Critical | Confirmed data breach, full system outage, ransomware, unauthorized access to client data | Immediate (within 15 minutes) | |
| P2 -- High | Partial outage affecting client operations, suspected breach under investigation, payment processing failure | Within 1 hour | |
| P3 -- Medium | Anomalous activity detected, policy violation by team member, single-channel degradation | Within 4 hours | |
| P4 -- Low | Minor configuration error, isolated bug with no data impact, failed login attempts below threshold | Within 24 hours |
Escalation rule: Any incident involving client personal data, healthcare data, or payment data is automatically P1 until downgraded by the Incident Commander.
2. Incident Response Team
| Role | Assigned To | Responsibility |
|---|---|---|
| Executive Sponsor | CEO (Nick) | Final authority on external communications, regulatory notifications, and budget decisions |
| Incident Commander | Designated Security Lead (TBA -- assign by May 2026) | Owns the incident from detection to closure. Coordinates all response activities. Makes containment decisions. |
| Communications Lead | Chielo | Internal team updates, client notifications, regulatory correspondence drafting |
| Technical Lead | On-call developer / platform admin | Executes containment and recovery actions on affected systems |
Until a dedicated Security Lead is appointed, the CEO acts as Incident Commander for P1/P2 incidents.
3. Response Phases
Phase 1: Detection
- Monitor alerts from hosting providers (Vercel, cloud CRM platform), payment processors (Stripe, Razorpay), and AI service providers (Anthropic, ElevenLabs).
- Team members report suspected incidents to the Incident Commander immediately via the designated internal channel (WhatsApp group or Discord).
- Log the initial report: who detected it, when, what was observed.
Phase 2: Containment
- Short-term (first 30 minutes for P1): Isolate affected systems. Revoke compromised credentials. Disable affected integrations or API keys. If a client sub-account is compromised, disable its automations immediately.
- Long-term: Implement temporary fixes to prevent spread while preserving evidence. Do not wipe logs or redeploy until evidence is preserved.
Phase 3: Eradication
- Identify and remove the root cause (malicious code, misconfiguration, compromised account).
- Rotate all credentials that may have been exposed: API keys, database passwords, OAuth tokens, service accounts.
- Patch the vulnerability or close the attack vector.
Phase 4: Recovery
- Restore systems from verified clean backups if needed.
- Redeploy affected services with fixes applied.
- Monitor closely for 48 hours post-recovery for recurrence.
- Confirm with affected clients that service is restored.
Phase 5: Post-Incident Review
- Conduct within 5 business days of incident closure.
- Use the Post-Incident Review Template (Section 6 below).
- Document lessons learned and assign remediation actions with owners and deadlines.
4. Communication Plan
| Audience | P1/P2 Timeline | P3/P4 Timeline | Channel |
|---|---|---|---|
| Internal team | Within 1 hour of detection | Within 24 hours | WhatsApp/Discord internal channel |
| CEO (if not already involved) | Immediately for P1, within 1 hour for P2 | Daily summary | Direct message |
| Affected clients | Within 24 hours if their data is affected | Only if service impact is visible | Email + WhatsApp (direct to client contact) |
| PDPC Singapore | Within 72 hours if personal data of Singapore residents is breached | N/A | PDPC breach notification form |
| EU supervisory authority (GDPR) | Within 72 hours if EU personal data is breached | N/A | Relevant authority's notification portal |
| Channel partners (BC360, Anil) | Within 48 hours if their clients are affected | As needed | Email to partner contact |
Rule: No external communication goes out without CEO approval. Draft all client and regulatory notifications before sending.
5. Evidence Preservation
When an incident is detected:
- Do not restart, redeploy, or wipe any affected system until evidence is secured.
- Export and preserve: server logs, application logs, access logs, API call records, database query logs.
- Screenshot any anomalous dashboard states or error messages.
- Record the chain of custody: who accessed what evidence and when.
- Store all evidence in a dedicated incident folder:
WiBiz OS/05 Operations/Incidents/[YYYY-MM-DD]-[short-description]/ - Retain incident evidence for a minimum of 3 years.
6. Post-Incident Review Template
INCIDENT ID: [INC-YYYY-MM-DD-001]
PRIORITY: [P1/P2/P3/P4]
INCIDENT COMMANDER: [Name]
DATE OF INCIDENT: [YYYY-MM-DD]
DATE OF REVIEW: [YYYY-MM-DD]
1. WHAT HAPPENED
[Plain-language summary of the incident]
2. TIMELINE
[Chronological list: detection time, containment actions, resolution, closure]
3. ROOT CAUSE
[Technical root cause and contributing factors]
4. IMPACT
- Systems affected:
- Clients affected:
- Data affected (type and volume):
- Duration of impact:
5. WHAT WENT WELL
[Actions that worked effectively during response]
6. WHAT NEEDS IMPROVEMENT
[Gaps in detection, response, or communication]
7. REMEDIATION ACTIONS
| Action | Owner | Deadline | Status |
|--------|-------|----------|--------|
8. LESSONS LEARNED
[Specific changes to prevent recurrence]
7. Key Contact List
| Contact | Name / Entity | Phone | When to Contact | |
|---|---|---|---|---|
| CEO / Executive Sponsor | Nick | [FILL] | nicklaus@wibiz.ai | All P1, P2 incidents |
| Governance Lead | Chielo | [FILL] | [FILL] | Client/regulatory comms |
| Legal Counsel | [FILL -- appoint by Q3 2026] | [FILL] | [FILL] | Any confirmed data breach |
| PDPC Singapore | Personal Data Protection Commission | -- | https://www.pdpc.gov.sg/overview-of-pdpa/data-protection/business-owner/data-breach-management | Breach involving SG personal data |
| Vercel Support | Vercel | -- | https://vercel.com/support | Platform/hosting incidents |
| Stripe Support | Stripe | -- | https://support.stripe.com | Payment data incidents |
| Anthropic Support | Anthropic | -- | https://support.anthropic.com | AI API incidents |
Action item: Fill all [FILL] entries within 30 days of policy adoption.
8. Annual Tabletop Exercise
- Conduct one tabletop exercise per calendar year simulating a P1 incident scenario.
- Rotate scenarios annually: data breach, ransomware, cloud provider outage, insider threat.
- All Incident Response Team members must participate.
- Document the exercise, findings, and any plan updates in the Incidents folder.
- First exercise deadline: Q3 2026.
End of document. Next review: April 2027.