Triage in the first 30 minutes
Classify severity immediately: operational disruption, legal exposure, personal safety risk, or reputational harm.
Lock the evidence snapshot (URLs, timestamps, screen captures, and reviewer notes) to prevent data drift during investigation.
Escalation and stakeholder alignment
Notify designated owners in security, legal, HR, and communications based on severity level. Use one incident channel to keep facts synchronized.
Assign a single incident lead responsible for updates, action owners, and decision deadlines.
Containment and post-incident review
Execute containment actions first: access restrictions, process holds, or enhanced review requirements for related cases.
Within five business days, run a retrospective that documents root cause, missed detection opportunities, and policy changes.