Runbook - Network Security Management
Runbook stub • Effective 26 Sep 2025 • Version v1.0
Scope
Operate network security policies: firewall rules, segmentation/Zero Trust, SWG/SASE policy upkeep, and change governance.
In scope Operations, monitoring, reporting to SLAs/SLOs, continuous improvement (SIP).
Out of scope One-off projects/uplifts (CPS), custom application development, non-standard integrations unless agreed.
Dependencies
- Named Agency sponsor and SPOC; vendor contacts and maintenance windows
- Access: least-privilege operational accounts; logging destinations agreed
- Licences/tenants/tools provided by Agency (where applicable)
Standard Operating Procedures (SOPs)
Daily
- Review overnight alerts and ticket queues
- Check critical service health dashboards
- Triage new incidents and changes
Weekly
- Review open incidents and problems
- Patch ring planning and exceptions (if applicable)
- Update Decision Log and RAID as needed
Monthly
- Service review pack: SLA/SLO, incidents/changes, risks/issues
- Restore or failover test (if applicable)
- SIP actions updated with owners/dates
Quarterly
- Trend analysis and control effectiveness review
- Tabletop or restore drill (if applicable)
- Access review and break-glass validation
SLAs and SLOs
| Measure | Target |
|---|---|
| Incident response (business hours) | Ack within 30 minutes; priority-based resolution targets |
| Change records | 100 percent with rehearsal and rollback for high-risk changes |
| Reporting | Monthly service review delivered within 5 business days of month end |
| Change windows | Planned with rollback rehearsed |
| Policy drift | Weekly review |
KPIs and Signals
| KPI | Definition |
|---|---|
| Ticket SLA compliance | Percent of incidents and requests meeting SLA |
| Backlog health | Aged tickets over threshold |
| SIP closure rate | Percent of improvement actions closed by due date |
| Policy violations | Count and trend |
| Config backup currency | Percent devices with last 24h backup |
Escalation
| Functional SPOC | Service Lead (email/phone as per contact matrix) |
|---|---|
| Duty escalation | Service Manager → Account Lead → Executive Sponsor |
| Vendor escalation | As per vendor matrix; include ticket ref and evidence |
| Incident bridge | Spin up within 15 minutes for SEV1/SEV2; roles per playbook |
Evidence and Records
- Monthly service review pack (SLA/SLO, incidents/changes, restore evidence, risks/issues, SIP)
- Change records with rehearsal and rollback plan
- PIRs and Problem records; Decision Log and RAID entries
- Backups: immutability checks and restore results with achieved RTO/RPO (if applicable)