Shedthemusic, LLC — Incident Response Plan (IRP)

Version: 1.0

Date: 2025-10-23

Owners:

• Bob Habersat — Chief Technology Officer (CTO) (primary)

• Kris Habersat — Member Management Lead (deputy)

Scope

• Covers all Shedthemusic systems, data, devices, and services, including third‑party SaaS (Squarespace, MemberSpace) and AU/NZ reseller processes (MusicEdNet).

• Applies to security, privacy, and online safety incidents, plus business-impacting operational incidents (e.g., loss of access to accounts, device loss).

• Student PII: Shedthemusic does not collect or process student PII. Schools are provided a shared, school‑scoped generic username; students are not individually identified.

Objectives

• Detect, contain, eradicate, and recover from incidents quickly.

• Meet business objectives (RTO ≤ 1 business day for public web access; RPO ≤ 24 hours for content/data under Shedthemusic control).

• Record all incidents in the incident register and complete post‑incident reviews.

Incident Reporting & 24x7 Escalation

• Report immediately via: security@shedthemusic.net (monitored), phone/text escalation to CTO.

• Internal alert sources: Squarespace & MemberSpace status pages, authentication error spikes, admin notifications, user reports, reseller (MusicEdNet) notifications.

Roles & Responsibilities

• CTO (Bob): IRT lead, triage, external vendor liaison, containment/eradication strategy, communications approval, regulator/customer liaison (as applicable), final report.

• Member Management (Kris): Triage support, user communications, credential resets, vendor support tickets, register upkeep, logistics (replacement devices).

• AU/NZ reseller (MusicEdNet): Customer comms amplification in region; coordinates school messaging when requested by Shedthemusic.

• All staff: Report suspected incidents immediately; preserve evidence; follow instructions.

Incident Categories (examples)

A. SaaS/Hosting outage or degradation (Squarespace/MemberSpace)

B. Credential compromise or suspicious admin activity

C. Website content defacement or unauthorized changes

D. Malware/phishing targeting staff accounts or devices

E. Loss/theft of a device (e.g., laptop left on train)

F. Inadvertent disclosure/misrouting of information (email to wrong recipient)

G. Payment flow disruption/refund abuse (AU/NZ handled by MusicEdNet; global by Stripe if used)

H. Privacy complaint or online safety concern

Severity Levels

• SEV-1 Critical: Service down, material data exposure, regulatory impact. Target: immediate response; exec notification.

• SEV-2 High: Major feature degraded or elevated risk; no confirmed exposure. Target: 2-hour response.

• SEV-3 Medium: Limited impact or contained; no exposure. Target: same business day.

• SEV-4 Low: Observations/vulnerabilities with no immediate impact. Target: within 2 business days.

Standard IR Process (all incidents)

1) IDENTIFY

• Gather facts, time stamps, indicators of compromise (IoCs).

• Check vendor status pages and dashboards; collect screenshots and logs.

2) CONTAIN

• Disable/rotate compromised credentials, revoke sessions, enforce MFA, lock pages if needed.

3) ERADICATE

• Remove malicious artifacts; patch affected components; rotate API keys and webhooks.

• With vendors: request scope-of-impact, log extracts, and forensic support.

4) RECOVER

• Restore from latest good content backups (offline snapshots where applicable).

• Validate integrity (hash/spot checks), verify access controls, smoke test.

5) COMMUNICATE

• Internal updates every 2 hours (SEV‑1) / business day (SEV‑2/3) until closure.

• External: status update on site/news banner or email to impacted customers; AU/NZ via MusicEdNet.

• Notifications: If personal info exposure is suspected, notify affected customers promptly; coordinate with vendors.

6) RECORD & REVIEW

• Log the incident in the register within 24 hours of detection.

• Run a blameless post‑incident review within 5 business days; track corrective actions to closure.

Incident Register (required fields)

• Unique ID

• Date/time occurred; date/time discovered

• Reporter/contact

• Category & severity

• Description of incident (facts only)

• Systems/accounts affected (Squarespace, MemberSpace, email, device, etc.)

• Data types implicated (note: no student PII processed; describe content types)

• Actions taken (containment, eradication, recovery)

• Notifications made (customers/reseller/vendor/regulator) with times

• Root cause (when known) and contributing factors

• Corrective & preventive actions (owner & due date)

• Closure date and approver

Runbooks (condensed)

A) Squarespace/MemberSpace Outage (SEV‑2/SEV‑1 if prolonged)

• Identify: Confirm vendor status pages; open vendor ticket.

• Contain: Post temporary notice (status banner or social) with ETA/workarounds.

• Recover: Service auto-recovers; verify login/paywall & course pages; clear caches.

• Record & Review.

B) Admin Credential Compromise

• Identify: Alert from login anomalies/unexpected changes.

• Contain: Force password reset, revoke sessions, rotate 3P API keys; enable/verify MFA.

• Eradicate: Review audit logs; remove unauthorized content/users.

• Recover: Validate site, member access, and billing settings.

• Notify impacted customers if risk of misuse; Record & Review.

C) Website Defacement / Unauthorized Change

• Contain: Revert page/content to last good state; revoke access causing change.

• Eradicate: Rotate credentials/API keys; enable stricter RBAC; vendor ticket for log review.

• Recover: Integrity check and publish; announce restoration.

• Record & Review.

D) Phishing/Malware Targeting Staff

• Contain: Isolate device; change passwords; invalidate OAuth tokens.

• Eradicate: AV/EDR clean or reimage; patch.

• Recover: Re-enroll device; restore required data from backups.

• Record & Review.

F) Payment Issue (AU/NZ via MusicEdNet)

• Identify: Report from school; confirm reseller workflow.

• Contain/Recover: Coordinate refunds/adjustments through reseller; ensure access continuity.

• Record & Review.

G) Privacy/Online Safety Complaint

• Identify: Log complaint; acknowledge within 2 business days.

• Contain: Remove/limit access to offending content; preserve evidence.

• Investigate and respond per policy; notify complainant of outcome.

• Record & Review.

Evidence & Logging

• Preserve relevant emails, screenshots, timestamps, and vendor ticket numbers.

• Maintain synchronized time on all systems; store incident artifacts in a restricted, backed‑up folder.

Testing & Maintenance

• Tabletop exercise: at least annually (simulate SEV‑2 SaaS outage and device loss scenario).

• Review this IRP at least annually or after any SEV‑1/SEV‑2 incident.

• Track corrective actions to completion.

Contact Matrix

• Internal: CTO (primary), Member Management (deputy)

• Vendors: Squarespace Support, MemberSpace Support (ticket portal), Status pages (auto updates)

• AU/NZ Reseller: MusicEdNet (regional school communications & billing coordination)

Notes

• No student PII is processed by Shedthemusic. Schools use shared, generic school logins; access codes rotate at least annually or on demand.

• Where vendor terms govern breach notifications, Shedthemusic coordinates to ensure timely customer communications and remediation.