Incident Response Plan
Owner: Bishal Shrestha (Principal, DSP point-of-contact) Last reviewed: 2026-04-17 Review cadence: Every 6 months, or after any incident
1. Purpose and scope
This plan covers OneBookPlus's response to security and data-integrity incidents affecting systems that process ATO-related data (IITR lodgement, STP Phase 2 pay events, client PII, TFNs, machine credentials).
Scope covers the production web application, the Supabase database, SBR machine-credential storage, and any third-party system holding OneBookPlus customer data (hosting, email sender, analytics).
2. Roles
| Role | Holder | Contact |
|---|---|---|
| Incident Commander | Bishal Shrestha | bishal@onebookplus.com.au |
| Deputy | To be assigned on first hire | — |
| ATO DPO liaison | Bishal Shrestha | Ticket via Online Services for DSPs |
| OAIC liaison | Bishal Shrestha | Notifiable Data Breach form |
When a second team member joins, a Deputy is assigned immediately so coverage does not depend on a single person.
3. Detection sources
- Supabase logs — database errors, authentication anomalies, connection spikes
- Application logs — server action errors, rate-limit hits, repeated authentication failures
- Hosting logs — traffic anomalies, 5xx spikes, unexpected geographic origin
- ATO SBR responses — unexpected fault codes, rejected lodgements, authentication failures
- User reports — support email at bishal@onebookplus.com.au
- Responsible disclosure — security@onebookplus.com.au
4. Severity classification
| Severity | Examples | Target containment |
|---|---|---|
| SEV-1 | TFN or PII leak, machine credential compromised, unauthorised ATO lodgement, full database access | Within 1 hour |
| SEV-2 | Tenant-level account takeover, partial RLS bypass, staging data exposure | Within 4 hours |
| SEV-3 | Suspicious login attempt contained by MFA, minor data-quality issue, single-user outage | Within 24 hours |
| SEV-4 | Near-miss, policy violation without data impact, bot traffic | Within 5 business days |
5. Response workflow
- Detect — alert fires or report received.
- Triage (15 minutes) — confirm scope, assign severity, open an incident log (timestamped markdown file stored with evidence).
- Contain — revoke credentials, rotate secrets, restrict access, take the affected service offline if required.
- Eradicate — patch the vulnerability, remove attacker artefacts, verify no persistence.
- Recover — restore service from a known-good state and monitor for recurrence.
- Notify — per section 6.
- Post-incident review — within 5 business days; document root cause and improvement actions; update this plan where needed.
6. Notification obligations
| Audience | Trigger | Timeframe | Method |
|---|---|---|---|
| Affected users | Any SEV-1 or SEV-2 affecting their data | As soon as practical, within 24 hours | Email plus in-app banner |
| ATO Digital Partnership Office | Any incident affecting SBR credentials, lodgement integrity, or ATO-provided data | Same business day | Ticket via Online Services for DSPs |
| OAIC | Eligible data breach per Privacy Act 1988 (Part IIIC) — unauthorised access or disclosure likely to result in serious harm | Within 72 hours | oaic.gov.au notifiable-data-breaches form |
| Tax Practitioners Board | Incident affecting a registered tax agent's ability to meet obligations | Within 5 business days | TPB portal |
| Customer insurers or professional-liability carriers | Any SEV-1 | Within 24 hours | Via affected agent's own insurer process |
7. Containment playbooks
- Leaked machine credential — revoke in RAM, create replacement, update the keystore path, force re-deploy. Notify the ATO DPO the same day.
- Supabase service-role key leak — rotate in the Supabase dashboard, update environment variables in hosting, force re-deploy, audit logs for unauthorised queries during the exposure window.
- RLS bypass — identify the policy gap, add a restrictive policy, audit database activity for abuse during the exposure window, notify affected tenants.
- Phishing targeting OneBookPlus users — publish an advisory banner, email affected users, report to the Australian Cyber Security Centre.
8. Evidence preservation
- Do not delete logs during an incident.
- Export Supabase and hosting logs covering the incident window into the incident folder.
- Screenshot attacker artefacts before remediation.
- If law-enforcement involvement is possible, preserve disk images of affected systems.
9. Testing
- Tabletop exercise — annually, minimum.
- Credential-rotation drill — every 6 months.
- After-action updates — this plan is updated after any SEV-1 or SEV-2 incident.
10. Revision history
| Date | Author | Change |
|---|---|---|
| 2026-04-17 | Bishal Shrestha | Initial version. Aligned with ATO DSP Operational Security Framework requirements. |