Policies
Map.ca policy

Incident Response Policy

How Map.ca classifies, responds to, and communicates about security and operational incidents.

Incidents happen. The Incident Response Policy defines what counts as an incident, the severity classification (Sev-1 through Sev-4), the response SLAs by severity, the assembly of an incident response team, the communications discipline (internal first, regulators next, users on the timelines required by law and the timelines Map.ca commits to itself), and the post-incident review that becomes the input to subsequent policy revisions. The Privacy Breach Policy governs the breach-specific path; this policy governs the general incident path.

It applies to Map.ca security, engineering, operations, communications, leadership, and any vendor whose systems are involved in an incident. Three-month review cycle, deliberately short.

Requirements

  • Classify incident severity within the documented SLA.
  • Assemble an incident response team within the documented SLA.
  • Notify affected users within the timelines required by law and by Map.ca’s own commitments.
  • Conduct and publish a post-incident review.

Prohibitions

  • Do not close an incident silently.
  • Do not delay user notification beyond regulatory or self-imposed timelines.
  • Do not triage without documentation.
  • Do not omit affected users from notification to avoid embarrassment.

Related policies

Privacy Breach PolicyHow Map.ca detects, contains, reports, and learns from privacy breaches — aligned with PIPEDA's breach reporting framework.Security PolicyHow Map.ca protects accounts, infrastructure, secrets, and operational data day to day.Audit Logging PolicyWhat Map.ca logs for audit purposes, how those logs are protected, retained, and used.Public Accountability PolicyAllows communities to see civic activity without exposing private complainants or creating unfair pressure campaigns.