Security Breach Response Protocol

IT & Security Incident Management Last reviewed: 2025-11-30 Owner: IT Security Team

Purpose

This protocol defines the actions to be taken when a security breach is confirmed or suspected at Global Bank. A security breach includes any event that results in unauthorised access to, disclosure of, or loss of bank or client data, as well as any compromise of IT systems or infrastructure. The protocol ensures a coordinated, rapid response to minimise damage, preserve evidence, and meet regulatory notification obligations.

Policy Reference: IT-INC-002
Classification: Confidential
Applies To: IT Security Team, IT Operations, Senior Management, all employees (for initial reporting)

Breach Categories

CategoryDescriptionExamples
Category A — CriticalConfirmed breach involving client personal data, financial data, or core banking systemsDatabase exfiltration, ransomware on production systems, compromised payment systems
Category B — MajorConfirmed breach involving internal systems or employee data with potential for escalationCompromised admin credentials, malware on internal servers, email account takeover
Category C — MinorSuspected or low-impact incident with no confirmed data lossSingle phishing compromise (contained), attempted brute-force attack (blocked), lost encrypted device

Phase 1: Detection and Initial Reporting

Any employee who identifies or suspects a security breach must:

  1. Do not attempt to investigate or remediate the issue yourself. This may destroy evidence or worsen the situation.
  2. Contact the IT Security Team immediately:
    • 24/7 Security Hotline: +44 20 7946 0199 (Ext. 2200 internally)
    • Email: securityincident@globalbank.com
  3. Provide the following information:
    • Your name, department, and contact number
    • What you observed and when
    • Systems or data involved
    • Any actions you have already taken
  4. If you believe your device is compromised, disconnect it from the network immediately but do not power it off (to preserve volatile memory for forensic analysis).

Phase 2: Triage and Containment

The IT Security Team will:

  1. Assess the report and assign a breach category (A, B, or C).
  2. Activate the Security Incident Response Team (SIRT) for Category A and B breaches. The SIRT comprises:
    • Chief Information Security Officer (CISO) — Incident Commander
    • IT Security Team Lead — Technical Lead
    • IT Operations Manager — Infrastructure Support
    • Legal Counsel — Regulatory and Legal Advisory
    • Communications Manager — Internal and External Communications
    • Data Protection Officer — Data Subject Notification
  3. Implement immediate containment measures, which may include:
    • Isolating affected systems from the network
    • Disabling compromised user accounts
    • Blocking malicious IP addresses or domains at the firewall
    • Revoking access tokens and certificates
    • Engaging the Security Operations Centre (SOC) for real-time monitoring

Phase 3: Investigation and Eradication

  1. The SIRT conducts a forensic investigation to determine the root cause, scope, and impact of the breach.
  2. External forensic specialists may be engaged for Category A breaches, in coordination with Legal Counsel.
  3. All evidence is preserved in accordance with the bank's Digital Forensics and Evidence Handling Standard (IT-FOR-001).
  4. The threat is eradicated by removing malware, closing exploited vulnerabilities, and rebuilding compromised systems from verified clean backups.

Phase 4: Regulatory and Client Notification

For Category A breaches involving personal data:

  • The Data Protection Officer must notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR.
  • The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) must be notified in accordance with their respective notification requirements.
  • Affected data subjects (clients, employees) must be notified without undue delay if the breach poses a high risk to their rights and freedoms.
  • All notifications are coordinated by Legal Counsel and the Communications Manager.

Phase 5: Recovery and Post-Incident Review

  1. Affected systems are restored to normal operations following verification by IT Security.
  2. Enhanced monitoring is implemented for a minimum of 30 days post-incident.
  3. A Post-Incident Review meeting is held within 10 business days of resolution, involving all SIRT members and relevant stakeholders.
  4. A formal Incident Report is produced, documenting the timeline, root cause, impact, response actions, and recommendations for improvement.
  5. Lessons learned are incorporated into security controls, procedures, and training programmes.

Contact

  • 24/7 Security Hotline: +44 20 7946 0199
  • Security Incident Email: securityincident@globalbank.com
  • CISO Office: ciso@globalbank.com | Ext. 2250

Related Articles

IT Incident Reporting Procedure

Procedure for reporting IT incidents, including classification of incident severity levels, required information, and expected response times.

Updated 2026-01-20

Service Desk Contact and Escalation

Complete guide to contacting the IT Service Desk, including available support channels, operating hours, and the formal escalation matrix for unresolved issues.

Updated 2026-01-30

System Outage Communication Process

Process for communicating planned and unplanned system outages to affected stakeholders, including notification templates, channels, and timing requirements.

Updated 2025-10-18