Incident response¶

A tall wooden filing cabinet secured with a heavy padlock. The padlock is open. The key is in it. The top drawer is labelled MEMBER RECORDS — CONFIDENTIAL and has been left slightly ajar. A phoenix is roosting on top of the cabinet, glowing faintly. Nobody has noticed.

An organisation without a security team or a SIEM still has security incidents. The incidents do not wait for the infrastructure to be ready. A compromised account, a data breach via a phishing attack, ransomware via a malicious attachment, an employee who accidentally shared a donor spreadsheet publicly: these happen regardless of whether a formal incident response programme exists.

The goal at this stage is not a mature incident response capability with runbooks and a war room and a retained forensics firm. The goal is to have answers to three questions before an incident happens rather than during it:

Who do we call, what do we do immediately, and what do we need to report to whom?

GDPR obligations in practice
Building a lean SIRT
The Fabulist Incident: a data breach tabletop
Incident response runbooks