Virtus Group - Incident Response Plan

Executive Summary

This document describes Virtus Group’s standard for this area and how it is applied in practice. It is derived from our internal policies and standards and is intended for both reviewers and operations.

Scope & Assumptions

• In scope: systems and processes directly managed by Virtus Group per contract.
• Out of scope: client-owned or third‑party systems not onboarded to our managed service.
• Dependencies: connectivity, power, and named client contacts for decision making.

Requirements (Key Controls)

• Cybersecurity operations must address the following domains: (VGL.Cybersecurity.Operations.Standard.docx)
• Configuration Management – Apply secure baselines, monitor for deviations, and enforce hardening standards. (VGL.Cybersecurity.Operations.Standard.docx)
• This standard must be reviewed every 2 years or following major incidents or regulatory changes. (VGL.Cybersecurity.Operations.Standard.docx)
• All incidents and audits must include a post-mortem or lessons learned exercise, feeding into continual improvement. (VGL.Cybersecurity.Operations.Standard.docx)
• This document will be reviewed at least once every two years, or whenever a major update is required, whichever happens first. (VGL.Cybersecurity.Operations.Standard.docx)
• Incident response procedures must be followed in case of breach (VGL.Cybersecurity.Policy.docx)
• All suspected incidents must be reported immediately to the employee’s People Leader, HR Manager, or Head of Security & Compliance.Contact: hr@virtusgroup.biz | compliance@virtusgroup.biz | hello@virtusgroup.biz | 0800 847 887 (VIRTUS). (VGL.Drug.and.Alcohol.Policy.docx)
• Director – Provides governance and strategic oversight of health and safety.Board – Ensures resources are allocated and fosters a strong health and safety culture.Head of Security & Compliance – Owns this policy, ensures compliance with legal and ISO/NZ requirements.Health and Safety Officer – Develops, maintains, and monitors the health and safety management system, conducts risk assessments, coordinates training, investigates incidents, and reports to leadership.Senior Leadership Team – Integrates health and safety into planning and decision-making, promotes awareness, and monitors performance.Team Leaders – Ensure compliance in teams, conduct safety checks, investigate incidents, and promote reporting of hazards.All Staff Members – Follow health and safety requirements, participate in training, report hazards and incidents, and take reasonable care of themselves and others.Visitors – Must comply with Virtus Group’s health and safety policies while on site and report concerns to their company contact or Health and Safety Officer. (VGL.Health.And.Safety.Policy.docx)
• All incidents, injuries, and near-misses must be reported promptly. (VGL.Health.And.Safety.Policy.docx)
• Director – Provides governance and strategic oversight of health and safety.Board – Ensures resources are allocated and fosters a strong health and safety culture.Head of Security & Compliance – Owns this policy, ensures compliance with legal and ISO/NZ requirements.Health and Safety Officer – Develops, maintains, and monitors the health and safety management system, conducts risk assessments, coordinates training, investigates incidents, and reports to leadership.Senior Leadership Team – Integrates health and safety into planning and decision-making, promotes awareness, and monitors performance.Team Leaders – Ensure compliance in teams, conduct safety checks, investigate incidents, and promote reporting of hazards.All Staff Members – Follow health and safety requirements, participate in training, report hazards and incidents, and take reasonable care of themselves and others.Visitors – Must comply with Virtus Group’s health and safety policies while on site and report concerns to their company contact or Health and Safety Officer. (VGL.Health.And.Safety.Policy_v2_Document_Hierarchy.docx)
• All incidents, injuries, and near-misses must be reported promptly. (VGL.Health.And.Safety.Policy_v2_Document_Hierarchy.docx)
• Security incidents must be reported immediately. (VGL.Information.Security.Policy.docx)
• Incident response plans must be maintained and tested. (VGL.Information.Security.Policy.docx)
• Ensure the safety of our staff members during any incident; (VGL.BCM.Standard.docx)
• Minimize the risk of disruptive incidents to time critical activities, required to deliver our products and services. (VGL.BCM.Standard.docx)
• Any backup failure or data loss incident must be escalated immediately to the IT Operations Manager. (VGL.Backup.Standard.docx)
• Encryption practices must be reviewed following major incidents, vendor cryptographic deprecations (e.g., TLS retirements), or new regulatory requirements. (VGL.Encryption.Standard.docx)
• Device incidents must be tracked within the Virtus Group Incident Response Plan. (VGL.End.User.Device.Management.Standard.docx)
• Metrics and KPIs must be maintained for change success rates, rollback frequency, and incident trends. (VGL.IT.Change.Management.Policy.docx)

Procedures / Playbooks

Roles & RACI

KPIs & Reporting

• Mean time to containment (MTTC)
• Mean time to recovery (MTTR)
• Post-incident actions closed ≤ 30d

Evidence & Records

Records are maintained per the VGL Document & Record Control guidelines, including logs, approvals, test outputs, meeting minutes, and reports.