Purpose
This policy establishes Scispot's plan for managing scheduled maintenance downtime and information security incidents, offering guidance for employees and incident responders to ensure minimal disruption to customers and maintain transparency.
Scope
This policy covers all scheduled maintenance activities and information security or data privacy events or incidents affecting Scispot systems or networks.
Scheduled Maintenance Downtime Process
Planning and Scheduling
Tools Used: Linear app, Slack, Scispot
Process:
Maintenance tasks are planned during off-peak hours based on usage patterns.
Tasks are scheduled and assigned to relevant team members using planning tools.
Notification and Communication
Advance Notice: Customers are informed at least two weeks in advance.
Channels: Email (Mailchimp, SendGrid), In-app notifications (Slack), Status page updates
Details Included: Date, time, expected duration, and services impacted.
Multiple Reminders: Additional reminders are sent one week and one day before maintenance.
Execution and Monitoring
Real-Time Monitoring Tools: New Relic, Zabbix, and Prometheus
Process:
IT and DevOps teams monitor systems closely during maintenance.
Real-time updates are provided on the status page.
Post-Maintenance Communication
Completion Notice: Sent to customers via email and in-app notifications.
Summary Report: Provided detailing what was done and any improvements made.
Incident Reporting and Response Plan
Reporting
Channels: Email [email protected]
Details to Include: Specific details about observed or discovered events or incidents.
Severity Levels
S3/S4 - Low and Medium Severity: Suspicious behavior, no verified tangible risk.
S2 - High Severity: Potential risk, likely to happen.
S1 - Critical Severity: Active exploitation, immediate threat.
Escalation and Internal Reporting
S1 - Critical Severity: Immediate notification to IT and Engineering management.
S2 - High Severity: Create a support ticket and notify the appropriate manager via email or Slack.
S3/S4 - Medium and Low Severity: Create a support ticket assigned to the appropriate department for response.
Documentation
Storage: All events, incidents, and response activities are documented in the ServiceDesk or Salesforce ticket system.
Root Cause Analysis: Performed on all verified S1 incidents and reviewed by VP of Support, VP of Engineering, and/or the IT Manager.
Incident Response Process
Critical Issues Response:
Investigate, contain exploitation, eradicate the threat, recover systems, remediate vulnerabilities, and document a post-mortem report.
Incident Response Meeting Agenda:
Update incident ticket and timelines.
Document new Indicators of Compromise (IOCs).
Perform investigative Q&A.
Apply emergency mitigations.
Plan long-term mitigations.
Document Root Cause Analysis (RCA).
External Reporting / Breach Reporting
Determination: Legal and executive staff determine if breach reporting or external communications are required.
Reporting: Breaches are reported to customers, consumers, data subjects, and regulators without undue delay.
Summary of Process
Two Weeks Before Maintenance
Email notification sent to all users.
Maintenance details posted on the status page.
One Week Before Maintenance
Reminder email sent to users.
In-app notification appears when users log in.
One Day Before Maintenance
Final reminder email and in-app notification.
Status page updated with a banner indicating upcoming maintenance.
During Maintenance
Real-time updates on the status page.
Systems monitored by IT/DevOps team.
After Maintenance
Completion email sent to users.
Status page updated to reflect completion.
Post-maintenance summary provided.
Key Points
Advance Planning: Minimizes disruption.
Clear Communication: Keeps customers informed.
Multiple Channels: Ensures message reaches everyone.
Real-Time Updates: Provides transparency during maintenance.
Post-Maintenance Follow-Up: Builds trust and keeps users informed of improvements.
This policy ensures comprehensive management of both planned maintenance and unplanned incidents, maintaining transparency and trust with Scispot customers.