Signals

Incident Response Plan

Last updated: 2025-05-07
Version: 1.0

1. Purpose

The purpose of this Incident Response Plan is to provide a clear and structured approach for identifying, managing, and mitigating security incidents that may impact the confidentiality, integrity, or availability of Research Signals Ltd.’s (Signals) systems, services, or data.

2. Scope

This plan applies to:

  • All employees, contractors, and third-party service providers.
  • All IT systems, cloud services, networks, and applications managed or used by Research Signals Ltd.
  • All types of incidents, including but not limited to data breaches, malware infections, unauthorized access, denial of service attacks, and policy violations.

3. Objectives

  • Rapidly identify and assess security incidents.
  • Contain and mitigate damage.
  • Ensure transparent and timely communication.
  • Maintain compliance with legal and regulatory requirements.
  • Document incidents and apply lessons learned to improve defenses.

4. Definitions

  • Security Incident: Any actual or suspected event that compromises the confidentiality, integrity, or availability of information or systems.
  • Data Breach: A confirmed incident involving unauthorized access, disclosure, or loss of personal data.
  • DPO: Data Protection Officer – the lead for GDPR compliance and breach response.

5. Incident Response Team (IRT)

RoleResponsibilityRole currently held by
Incident LeadManages the response effort; usually CTO or delegateFlorin Asăvoaie
Data Protection Officer (DPO)Assesses GDPR breach notification requirementsNicko Goncharoff
Engineering LeadProvides technical support and remediationFlorin Asăvoaie
Communications LeadCoordinates internal and external communicationsTiago Barros
Executive LiaisonEscalates issues to leadership; approves major actionsTiago Barros

Contact details for all roles are maintained in an internal secure directory.

6. Incident Response Phases

6.1 Identification

  • Monitor systems for anomalies (automated alerts, log analysis, staff reports).
  • Validate if activity constitutes a true incident.
  • Classify the severity (Low, Medium, High, Critical).

6.2 Containment

  • Isolate affected systems (e.g., revoke credentials, shut down services).
  • Preserve evidence (e.g., system logs, file snapshots).
  • Notify the Incident Response Team.

6.3 Eradication

  • Remove malware, unauthorized users, or corrupted files.
  • Patch vulnerabilities or misconfigurations.
  • Coordinate with vendors or service providers if needed.

6.4 Recovery

  • Restore from clean backups if necessary.
  • Monitor systems for any signs of recurrence.
  • Validate the integrity and functionality of restored services.

6.5 Notification (if required)

  • Internal: Notify staff and leadership as appropriate.
  • External: Notify affected users and regulatory bodies if personal data was involved:
    • GDPR: Notify the ICO within 72 hours of becoming aware of a personal data breach.
    • Provide:
      • Nature of the breach
      • Categories of affected data subjects
      • Likely consequences
      • Mitigation measures
      • Contact information for follow-up

7. Communication Plan

  • Internal communications should be handled via secure, non-compromised channels (e.g., Slack, email).
  • Public communications (if applicable) must be pre-approved by the Communications Lead and reviewed by legal counsel.
  • Affected users will receive clear, prompt, and honest updates, including steps they may need to take.

8. Post-Incident Review

Within 10 working days of resolution, the Incident Response Team will:

  • Conduct a retrospective review.
  • Document findings in an Incident Report (stored securely).
  • Identify root cause and contributing factors.
  • Recommend technical and procedural improvements.
  • Update relevant policies and training materials.

9. Documentation & Reporting

All incidents are documented in the Incident Register, which includes:

  • Incident description
  • Timeline of events
  • Actions taken
  • Impact assessment
  • Stakeholders notified
  • Lessons learned

Incident reports are retained for at least 3 years for audit and compliance purposes.

10. Training and Awareness

  • All staff receive annual training on how to recognize and report security incidents.
  • Simulated incident drills may be conducted periodically to test the effectiveness of the IRP.

11. Review and Updates

This Incident Response Plan is reviewed annually or after any major incident to ensure relevance and effectiveness.

Contact Information


📧 Email: security@research-signals.com

📍 Address: 167-169 Great Portland Street, 5th Floor, London, United Kingdom, W1W 5PF