Virtus Group - Incident Response Plan
Executive Summary
This document describes Virtus Group’s incident response approach for incidents within the scope of services we manage under contract. It is derived from our internal standards and is intended to provide reviewers and clients with a clear, practical view of how we detect, triage, contain, recover, and learn from incidents.
This is an informational summary and is non-contractual. Contractual response targets, notification requirements, and inclusions (if any) are defined in the applicable Agreement, SOW/WO, and/or service schedules for the engagement.
Scope & Assumptions
- In scope: systems and processes directly managed by Virtus Group per contract, including managed infrastructure, security tooling, and managed endpoints where applicable.
- Out of scope: client-owned or third-party systems not onboarded to our managed service, and any environments where Virtus does not have delegated authority or access.
- Dependencies: connectivity, power, upstream provider availability, and named client contacts with authority to approve actions (e.g., containment steps that impact business operations).
Severity & Classification
We use pragmatic incident severity to drive prioritisation and communications. Severity is assessed on impact, scope, and urgency.
| Priority | Description | Examples |
|---|---|---|
| P1 Critical | Active compromise, major outage, or material risk to confidentiality/integrity/availability requiring immediate action. | Ransomware activity; confirmed data exfiltration; core service outage; privileged account takeover. |
| P2 High | Suspected compromise or significant degradation with meaningful business impact; urgent containment required. | Malware detected on key server; repeated failed admin sign-ins with high risk; partial outage of critical system. |
| P3 Medium | Contained incident or limited impact; response required within standard service windows. | Single endpoint compromise with no lateral movement; suspicious email campaign with user reporting. |
| P4 Low | Low-impact event, informational alerts, or policy nonconformance requiring planned remediation. | Minor misconfiguration; low-risk detection; advisory patching required. |
Core Requirements (Key Controls)
Virtus Group’s incident response capability is supported by these minimum operational controls:
- Detection and intake: alerts from monitored tooling (where enabled), user reports, vendor notifications, and operational telemetry.
- Ticketing and traceability: every incident is recorded with timestamps, actions, approvals, and outcomes.
- Access control: least-privilege admin access with audit trails (e.g., privileged elevation records where applicable).
- Containment readiness: defined playbooks for isolation, credential resets, and rapid blocking actions (e.g., conditional access, firewall, endpoint quarantine).
- Backup and recovery: verified restore approach appropriate to the service scope; critical recoveries are tested periodically where feasible.
- Post-incident review: lessons learned captured with tracked corrective actions and service improvement follow-ups.
Procedures / Playbooks
We follow a standard lifecycle:
- Detect & Triage: validate signal, establish severity, confirm scope, open incident record.
- Contain: stop spread and reduce exposure (isolate hosts, disable accounts, block IOC, revoke tokens).
- Eradicate: remove root cause (malware removal, patching, configuration correction, credential rotation).
- Recover: restore services safely (rollback, rebuild, restore from backups, integrity validation).
- Review: PIR completed with actions tracked to closure.
Roles & RACI (Typical)
| Role | Responsibility |
|---|---|
| Incident Commander | Owns decisions, timeline, approvals, and overall coordination; ensures PIR completion. |
| Core Infrastructure Lead | Identity, directory, DNS/DHCP, virtualisation, core compute; restore coordination as required. |
| Network/Security Lead | WAN/SD-WAN, firewalls, VPN, segmentation, threat containment controls, IOC blocks. |
| Apps/Data Lead | Application and database recovery, file services, integrity validation, data restoration coordination. |
| Comms Lead | Stakeholder updates, client liaison, update cadence, and coordinating messages with the Incident Commander. |
| Comms/Privacy Officer | Privacy impact assessment and regulatory/customer notification coordination where required. |
Communications & Notification
Communications are tailored to the client’s contract and nominated contacts. For Priority 1 and Priority 2 incidents affecting managed scope, our intent is to provide clear, time-based updates.
- P1: initial client notification as soon as practical after validation and initial containment direction is known; then regular updates (typically every 2–4 hours during active response).
- P2: notification within standard service windows (or as agreed), with periodic updates (typically daily or per material change).
- P3/P4: updates via ticket notes and/or service review reporting unless escalation is required.
Baseline Targets
- P1 alert triage: target ≤ 1 hour (where monitoring and access are in place)
- Containment: target ≤ 24 hours where feasible, dependent on scope and client approvals
- Log retention: hot 90 days; archive 12 months (or client-specific)
- Post-Incident Review (PIR): completed within 10 business days with tracked actions
KPIs & Reporting
- Mean time to contain (MTTC)
- Mean time to recover (MTTR)
- Recurrence rate of material incidents
- Post-incident actions closed ≤ 30 days
Evidence & Records
Evidence and response records are maintained in line with Virtus Group’s Document & Record Control approach, including logs, approvals, ticket timelines, communications, test outputs, meeting minutes, PIRs, and action registers.
- Incident record (ticket) with timestamps and decision log
- Relevant logs and alert artefacts (where enabled)
- Containment / eradication / recovery actions with approvals
- Post-Incident Review (PIR) and tracked corrective actions
Contacts
For incident escalation and coordination:
hello@virtusgroup.biz • 0800 847 887 (VIRTUS)
For privacy/security liaison (where applicable):
privacy@virtusgroup.biz • security@virtusgroup.biz
© Virtus Group Ltd
Informational summary. Engagement-specific requirements (e.g., certificates, customer standards) are agreed per contract/SOW.