Incident Response Checklist

This is a quick checklist for any incident (security, privacy, outage, degraded service, etc.) to ensure the team can focus on time critical mitigation/remediation while still communicating appropriately.

This is a checklist/overview document!
For detailed information see the Security Incident Response Guide

Checklist

Initiate

  • Roles assigned
    • Situation Lead (SL): - Responsible for ensuring all following steps are completed
    • Technical lead (TL): Leads technical investigation and mitigation
    • Comms lead (CL): Coordinates communication outside of #login-situation, within GSA, and if needed, with partners and the public
    • Scribe (S): Relays information discussed in war room (hangout) to #login-situation and aids Situation Lead in recording incident
  • Incident declared in #login-situation
  • Situation Lead and team assemble in War Room (*Posted at top of #login-situation channel)
  • Slack or OpsGenie used to alert additional responders (See Emergency Contacts if needed)
  • Issue created as official record for incident: Incident Template
  • Incident Review document started: Incident Review Google Doc
  • Used GSA IR Email Template to create and send notice to GSA Incident Response gsa-ir@gsa.gov AND IT Service Desk itservicedesk@gsa.gov (or GSA IT Helpline called) within 1 hour of start of incident (Alternate contact methods)

Assess

  • Incident confirmed
    • System security potentially compromised
    • System unavailable or functionality degraded
    • System under significant active attack from outside or inside threat
    • System integrity in question
  • Severity assigned (can be changed later as new information is collected)
    • High: Confirmed PII breach, confirmed security penetration, complete outage
    • Medium: Suspected PII breach, suspected security penetration, partial outage
    • Low: Suspected attack, outage of non-prod persistent system (int)
  • If user or partner impacting, StatusPage updated
  • If secure shared notepad is needed, Google Doc opened and shared https://drive.google.com/drive/folders/1TWTMp_w55niNuqC7vTPDEe5vkxaiP4P0 (Contents should be copied to official issue)

Remediate

  • For security incidents, consult official policy before destroying ANY evidence! Contain: Detach a compromised instance, do not destroy!

Loop through per-role items until remediation is complete.

By Role

  • Situation Lead
    • Wellbeing of group monitored, including self (Tired and stressed humans make poor decisions)
    • Rotations of all roles planned and performed to prevent any responder spending more than 3 hours in role
  • Technical Lead
    • Lead technical response till issue is remediated
    • OR role is handed off
  • Comms Lead
    • Regular updates to interested parties provided
    • StatusPage updated as status changes
  • Scribe
    • Ensure a full record is being maintained

Upon remediation:

  • Signaled end of incident in #login-situation once remediated

Retrospect

  • Postmortem doc started from copy of Postmortem Template
  • Postmortem meeting scheduled with entire incident response team

Resources