Izymes Security Incident Response Playbook
Scope
This playbook applies to all security incidents affecting Izymes apps running on the Atlassian Connect platform:
- Workzone for Bitbucket Cloud (Connect)
- AI Insights for Jira Service Management
Both apps run on AWS and integrate with Atlassian’s cloud ecosystem.
1. Incident Definition
A security incident includes but is not limited to:
- Unauthorized access to data or systems
- Data breach (real or suspected)
- Compromise of app availability or integrity
- Privilege escalation or abuse
- Any issue materially degrading Atlassian’s platform or violating Marketplace Partner expectations
2. Detection & Initial Triage
Event Sources
- AWS CloudWatch alerts (security group changes, abnormal usage)
- Atlassian Marketplace partner reports
- Customer-reported issues
- Internal code monitoring / anomaly detection
Immediate Steps
| Step | Action | Owner |
|---|---|---|
| 1.1 | Acknowledge and triage alert | Security Lead |
| 1.2 | Check logs in AWS CloudWatch | DevOps |
| 1.3 | Assess potential data exposure | App Engineer |
| 1.4 | Escalate severity if Atlassian systems or customer data are at risk | Incident Manager |
3. Notification & Communication
Contact Atlassian (if affected):
- Report via the Marketplace Partner Portal
- Severity: P1
- Deadline: within 24 hours of confirmation
Internal Notifications
- CTO
- Engineering Lead
- Legal/Compliance Advisor
- Customer Support Manager
Optional External Notifications
- Privacy Commissioner (if data privacy laws apply)
- Affected customers (within 72 hours if required)
4. Investigation
| Step | Action | Tool | Owner |
|---|---|---|---|
| 4.1 | Pull relevant CloudWatch logs for affected resources | CloudWatch | DevOps |
| 4.2 | Audit IAM roles, API access logs, deployment events | AWS Console, GuardDuty | Security Lead |
| 4.3 | Review source code and last deployment via Bitbucket | Bitbucket Pipelines | Lead Developer |
| 4.4 | Determine incident timeline and blast radius | Timeline Template | Incident Manager |
5. Containment & Eradication
- Disable affected access tokens / credentials
- Rotate secrets via AWS Secrets Manager
- Isolate vulnerable systems (e.g., restrict public access)
- Apply hotfixes and rollback if necessary
Optional: Temporarily delist affected app from Atlassian Marketplace if advised.
6. Recover
- Restore services with validated clean state
- Validate that all affected systems are patched and secured
- Monitor logs for recurrence
- Re-enable any disabled features or access
7. Post-Incident Review
Conduct within 5 business days.
Key Outputs:
- Incident timeline
- Root cause
- Systems affected
- Data affected (if any)
- Remediation steps taken
- Communication sent
- Future prevention recommendations
Use a Confluence template for structured documentation and link Jira tickets for tasks/remediation.
Roles & Responsibilities
| Role | Name/Team | Responsibilities |
|---|---|---|
| Incident Manager | CTO / AppSec Lead | Owns response process |
| Security Lead | AppSec | Investigates root cause, containment |
| DevOps | CloudOps team | Logs, infrastructure, rollbacks |
| Developer Lead | Engineering | Code review, hotfixes |
| Customer Comms | Support Lead | Customer messaging |
| Legal / Privacy | Legal advisor | Compliance with regulations |