cc7-4 Critical priority Security / System Operations

Security incidents are responded to and contained

When a security incident is confirmed, the speed and quality of the response determines the ultimate impact. A team that discovers a breach but has no response plan will improvise under pressure, make mistakes, and take longer to contain the damage. This criterion requires a documented and tested incident response plan that covers detection, containment, eradication, and communication.

16h estimated effort

incident-response containment runbook tabletop

Complete first: cc7-3

Implementation steps

1

Write an incident response plan

Document your incident response procedure covering: detection and initial assessment, escalation path and who is responsible for incident lead, containment steps for common incident types, communication protocols (internal and customer-facing), evidence preservation, and post-incident review. The plan should be specific enough to follow under stress, not just a list of principles.

confluence notion google-docs
2

Define containment and eradication steps for common incident types

Write runbooks for the incident scenarios most relevant to your environment: compromised user credential, compromised admin account, data exposure via misconfigured S3 or database, ransomware on an endpoint, malicious insider. Each runbook should specify how to contain (isolate, revoke, block) and how to eradicate (identify root cause, remove access, patch).

confluence notion pagerduty
3

Conduct tabletop exercises and post-incident reviews

Test your incident response plan at least annually with a tabletop exercise: walk through a simulated scenario, identify gaps in the plan, and update procedures. After any real incident, conduct a post-incident review: what happened, what worked, what failed, and what changes are needed. Document findings and action items.

confluence notion jira