Warning
Work in Progress: This page is currently under construction. Content may be incomplete or subject to change. To contribute, see the contribution guide.
Incident Response Policy
Procedures for detecting, reporting, containing, and recovering from security incidents.
What is a security incident?
Any event that threatens the confidentiality, integrity, or availability of Patria Investments’ systems or data, including:
- Unauthorized access or access attempts to systems or data
- Malware, ransomware, or phishing attacks
- Data breach or suspected data exfiltration
- Credential compromise (leaked tokens, passwords, keys)
- Denial of service attacks against production systems
- Insider threat activity
Severity levels
| Severity | Description | Response SLA |
|---|---|---|
| Critical | Active breach, data exfiltration, ransomware | Immediate — 24/7 response |
| High | Credential compromise, unauthorized privileged access | Within 4 hours (business hours) |
| Medium | Suspicious activity, failed intrusion attempts | Within 24 hours |
| Low | Policy violations, minor misconfigurations | Within 5 business days |
Response process
flowchart LR Detect[Detect / Report] --> Triage[Triage & Severity] Triage --> Contain[Contain] Contain --> Investigate[Investigate] Investigate --> Remediate[Remediate] Remediate --> Postmortem[Postmortem]
1. Detect & report
- Anyone who suspects an incident must report it immediately
- Report via: Security team email or ServiceNow — category Security Incident
- For Critical/High incidents out of hours: contact on-call via Contacts
2. Triage
- The Security team assesses severity within 30 minutes of report
- Incident commander is assigned for Critical/High incidents
- A dedicated communication channel is opened (Teams / Slack)
3. Contain
- Isolate affected systems: revoke credentials, block accounts, isolate network segments
- Preserve evidence: do not delete logs, restart services, or wipe machines without Security team approval
4. Investigate
- Root cause analysis conducted by Security + Engineering
- Timeline of events documented
- Scope of impact assessed (systems affected, data involved)
5. Remediate
- Apply fixes, rotate credentials, patch vulnerabilities
- Confirm containment before restoring systems to production
6. Postmortem
- Postmortem written within 5 business days for Critical/High incidents
- Use the postmortem template
- Lessons learned shared with the broader team
Contacts
| Role | Contact method |
|---|---|
| Security on-call | See Contacts |
| Incident reporting | ServiceNow → Security Incident |
| Legal / DPO (data breach) | See Contacts |
Danger
Data breach notification: Under LGPD, a confirmed data breach involving personal data must be reported to the DPO immediately.
The DPO will determine whether notification to ANPD and affected individuals is required within 72 hours.