Information Security Incident Response Procedure
This procedure describes how LEF identifies, responds to, and learns from security incidents.
| Owner | Information Security Officer |
| Contact | infra@lef.tec.br |
| Version | 1.1 |
| Last updated | 2025-03-26 |
| Review cadence | Annual (or after major incidents) |
If you suspect an incident
Section titled “If you suspect an incident”- Report immediately to infra@lef.tec.br and include what happened, when, and what systems/accounts may be involved.
- Preserve evidence: don’t delete messages, logs, or files; take screenshots if useful.
- Contain safely: if you suspect a device/account is compromised, disconnect from VPN and stop using the affected account until guided.
- If client data may be involved, notify the project lead as soon as possible.
1. Purpose
Section titled “1. Purpose”Establish guidelines and responsibilities to identify, classify, contain, communicate, mitigate, and review information security incidents that may affect LEF, its systems, data, or clients.
2. Scope
Section titled “2. Scope”Applies to all LEF employees, service providers, and systems that handle corporate or third-party information.
3. Definitions
Section titled “3. Definitions”- Security incident: Confirmed or suspected event that compromises the confidentiality, integrity, or availability of information.
- Sensitive data: Personal data, access credentials, financial or regulated information under LGPD, GDPR, or contractual obligations.
4. Responsibilities
Section titled “4. Responsibilities”- Information Security Officer: Coordinates the response process, performs technical investigation, applies containment and remediation measures, and communicates with stakeholders.
5. Process Steps
Section titled “5. Process Steps”5.1. Identification
Section titled “5.1. Identification”- Incidents can be reported via email to infra@lef.tec.br.
- Events are assessed within 1 working day to determine severity.
5.2. Containment and Mitigation
Section titled “5.2. Containment and Mitigation”- Access to affected systems is immediately restricted.
- Backups are activated as needed.
- Vulnerabilities are prioritized and corrected.
5.3. Communication
Section titled “5.3. Communication”- Incidents involving personal or third-party data must be reported to the affected party within 24 hours after assessment.
- Communication is official and includes:
- Incident description
- Impact and data involved
- Actions taken and remediation plan
5.4. Analysis and Lessons Learned
Section titled “5.4. Analysis and Lessons Learned”- Conducted within 14 days after the event.
- Generates a root cause and improvement report.
- Corrective measures are recorded and tracked.
6. Logging and Audit
Section titled “6. Logging and Audit”- All incidents must be recorded with date, responsible person, type, and impact.
- Logs must be kept for at least 12 months.
7. Maintenance
Section titled “7. Maintenance”- Updates are made as required by legal or contractual obligations.
8. Contact
Section titled “8. Contact”For urgent reporting: infra@lef.tec.br
Records / evidence
Section titled “Records / evidence”- Incident log (date, type, impact, actions):
- Evidence collected (screenshots, logs, emails):
- Post-incident review / lessons learned: