Incident Response Plan

Before anything breaks, make sure you know who does what. Every team member should know their role without looking it up. Check that contact lists are current. Nothing worse than calling a number that's been disconnected when you're in the middle of an incident.

Something's wrong. Figure out what. Is it a real incident or a false alarm? What systems are affected? How bad is it? Don't jump to conclusions. Gather facts first. The worst mistakes happen when people react before they understand.

Stop the bleeding. Isolate affected systems. Prevent the problem from spreading. Contain first, investigate later. Every minute the incident spreads is more damage to clean up. Sometimes you have to cut off an arm to save the body.

Find the root cause and eliminate it. Remove malware. Patch vulnerabilities. Close the door that was left open. Be thorough. If you miss something, you'll be back here again next week. And the second time always looks worse.

Bring systems back online carefully. Don't rush. Verify everything works before you declare victory. Restore from clean backups. Monitor closely for recurrence. The last thing you want is to restore an infected system back into production.

What happened? What did we do well? What could we do better? No blame - just learning. Do this while memories are fresh. Wait a month and everyone will remember it differently. Schedule the meeting within a week of closing the incident.

Write it all down. Timeline, actions taken, lessons learned, recommendations. This becomes your evidence if questions come later. Be honest. If you made mistakes, document them. Covering things up only works until it doesn't - and then it's much worse.