Use this page to define how HEA-World receives, triages, records, fixes, and closes security incidents and vulnerability reports. This is a process scaffold until a monitored contact path and incident evidence exist.
ISO27001-6, NIS2-21-2, NIS2-21-5, NIS2-21-6
Do not publish a security contact on the trust page until the path is monitored and has an accountable owner.
private/technology&Architecture/compliance/20260706_quick_win_compliance_closure_plan.md
| Field | What To Capture | Evidence Expectation |
|---|---|---|
| ▸Contact path | Security email or monitored form. | Confirmed as monitored before public trust-page use. |
| ▸Intake owner | Named role responsible for first review. | Use a role, not only a person, so ownership survives handoff. |
| ▸Severity levels | Critical, high, medium, low with short HEA-specific examples. | Severity must drive triage target and escalation. |
| ▸Triage SLA target | Initial review target by severity. | Record target and actual timestamps when incidents occur. |
| ▸Evidence captured | Reporter, timestamp, affected system, data exposure, user impact, requestId/log IDs, containment decision. | No secrets or raw credentials in incident notes. |
| ▸Notification decision | Who decides whether customer or regulatory notification may be needed. | Decision timestamp and rationale must be recorded. |
| ▸Remediation record | Where fix, guardrail, changelog, and lessons learned are recorded. | Link PR, guardrail, and wegotitwrong.md entry when relevant. |