Response flow

  1. Detect and report internally.
  2. Contain the exposure or access.
  3. Preserve logs and evidence.
  4. Identify affected systems and data categories.
  5. Assess affected individuals and likely consequences.
  6. Escalate to leadership and counsel where required.
  7. Prepare communication and notification material.
  8. Fix the root cause.
  9. Document the timeline and decisions.

Train for ordinary failures

Many incidents are mundane: a spreadsheet sent to the wrong person, an exposed drive folder, a contractor with excess access, an old admin account, a leaked database backup, or a marketing upload that was not reviewed.

The process should make those incidents easy to report quickly.