{ "$defs": { "AffectedScope": { "description": "Affected-asset / data narrative.", "properties": { "approximate_record_count": { "description": "Approximate record count.", "format": "int32", "type": "integer" }, "approximate_subject_count": { "description": "Approximate subject count.", "format": "int32", "type": "integer" }, "data_categories": { "description": "Categories of personal data affected.", "items": { "type": "string" }, "type": "array" }, "subject_categories": { "description": "Categories of data subjects affected.", "items": { "type": "string" }, "type": "array" }, "systems": { "description": "PathRefs to affected systems / services / databases.", "items": { "$ref": "#/$defs/PathRef" }, "type": "array" } }, "required": [ "approximate_subject_count", "approximate_record_count" ], "type": "object" }, "Confidentiality": { "description": "Cross-cutting confidentiality classification used across privacy,\nsecurity, knowledge, IR pillars. Default rendering rule: `corpospec-report`\nexcludes `Restricted | BoardOnly | InvestorOnly` records from public output\nunless an explicit audience parameter overrides. See BDR 0076 §1.", "oneOf": [ { "const": "public", "description": "Safe to publish anywhere.", "type": "string" }, { "const": "customer", "description": "Visible to customers under standard ToS.", "type": "string" }, { "const": "internal", "description": "Employees and contractors only.", "type": "string" }, { "const": "restricted", "description": "Need-to-know subset of internal.", "type": "string" }, { "const": "board_only", "description": "Board members and direct staff.", "type": "string" }, { "const": "investor_only", "description": "Existing investors + prospective with NDA.", "type": "string" } ] }, "IncidentKind": { "description": "Incident kind.", "oneOf": [ { "enum": [ "other" ], "type": "string" }, { "const": "data_breach", "description": "Confidentiality — unauthorised disclosure.", "type": "string" }, { "const": "data_alteration", "description": "Integrity — unauthorised alteration.", "type": "string" }, { "const": "availability", "description": "Availability — service disruption / DoS.", "type": "string" }, { "const": "asset_loss", "description": "Loss of physical / digital asset.", "type": "string" }, { "const": "account_compromise", "description": "Account / credential compromise.", "type": "string" }, { "const": "phishing", "description": "Phishing / social-engineering successful.", "type": "string" }, { "const": "malware", "description": "Malware / ransomware.", "type": "string" }, { "const": "insider", "description": "Insider threat.", "type": "string" }, { "const": "supply_chain", "description": "Supply-chain / vendor compromise.", "type": "string" }, { "const": "misconfiguration", "description": "Misconfiguration.", "type": "string" }, { "const": "exploitation", "description": "Vulnerability exploitation.", "type": "string" } ] }, "IncidentSeverity": { "description": "Incident severity.", "oneOf": [ { "const": "informational", "description": "Negligible — no PD exposed, no system impact.", "type": "string" }, { "const": "low", "description": "Low — minor leakage, no high-risk data.", "type": "string" }, { "const": "medium", "description": "Medium — leakage with low-risk consequences.", "type": "string" }, { "const": "high", "description": "High — leakage likely to cause harm.", "type": "string" }, { "const": "critical", "description": "Critical — large-scale leakage, special-category data, or\navailability-critical outage.", "type": "string" } ] }, "IncidentStatus": { "description": "Lifecycle.", "enum": [ "detected", "triaging", "confirmed", "contained", "eradicated", "recovering", "closed", "post_mortem" ], "type": "string" }, "IncidentTimelineEvent": { "description": "One timeline event.", "properties": { "actor": { "$ref": "#/$defs/PathRef" }, "artefact_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to artefact (log excerpt, screenshot, ticket)." }, "at": { "$ref": "#/$defs/IsoDate" }, "event": { "type": "string" } }, "required": [ "at", "actor", "event" ], "type": "object" }, "IsoDate": { "description": "ISO 8601 date (YYYY-MM-DD).", "format": "date", "type": "string" }, "PathRef": { "description": "Path-based cross-reference relative to .corpospec/ root.\nPattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`", "pattern": "^[a-z0-9_-]+(/[a-z0-9_.-]+)+$", "type": "string" } }, "$id": "https://corpospec.com/schemas/v0.16.0/security-incident.schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "Security incident.", "properties": { "affected": { "$ref": "#/$defs/AffectedScope" }, "art33_filing_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "Reference to the Art. 33 filing." }, "art33_notified_at": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ], "description": "Art. 33 supervisory authority notification date (None if not\nnotified yet / not applicable)." }, "art34_notified_at": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ], "description": "Art. 34 data-subject notification date." }, "art34_skip_reason": { "description": "Reason Art. 34 was not invoked (when applicable).", "type": [ "string", "null" ] }, "confidentiality": { "$ref": "#/$defs/Confidentiality" }, "contained_at": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ], "description": "When the incident was contained." }, "created_at": { "$ref": "#/$defs/IsoDate" }, "detected_at": { "$ref": "#/$defs/IsoDate", "description": "When the incident was detected by us." }, "entity": { "$ref": "#/$defs/PathRef" }, "follow_up_refs": { "description": "PathRefs to follow-up issues / BDRs / runbooks.", "items": { "$ref": "#/$defs/PathRef" }, "type": "array" }, "id": { "$ref": "#/$defs/PathRef" }, "is_personal_data_breach": { "description": "Whether a personal-data breach (triggers Art. 33/34).", "type": "boolean" }, "kind": { "$ref": "#/$defs/IncidentKind" }, "last_updated": { "$ref": "#/$defs/IsoDate" }, "lessons_learned": { "description": "Lessons-learned narrative.", "type": [ "string", "null" ] }, "nis2_early_warning_at": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ], "description": "NIS2 24h early-warning timestamp." }, "nis2_final_report_at": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ], "description": "NIS2 1-month final-report timestamp." }, "nis2_notification_at": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ], "description": "NIS2 72h incident-notification timestamp." }, "occurred_at": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ], "description": "When the underlying event actually started." }, "postmortem_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to the post-mortem document." }, "root_cause": { "description": "Root-cause analysis narrative.", "type": [ "string", "null" ] }, "severity": { "$ref": "#/$defs/IncidentSeverity" }, "status": { "$ref": "#/$defs/IncidentStatus" }, "summary": { "description": "Narrative summary.", "type": "string" }, "timeline": { "items": { "$ref": "#/$defs/IncidentTimelineEvent" }, "type": "array" }, "title": { "description": "Title (one-line summary).", "type": "string" } }, "required": [ "id", "entity", "kind", "severity", "status", "title", "summary", "detected_at", "affected", "timeline", "is_personal_data_breach", "confidentiality", "created_at", "last_updated" ], "title": "SecurityIncident", "type": "object", "x-corpospec-pillar": "legal" }