diff --git a/common-practices-tools/security/incident-response-checklist.md b/common-practices-tools/security/incident-response-checklist.md index 592a4d107f..1934a7acf9 100644 --- a/common-practices-tools/security/incident-response-checklist.md +++ b/common-practices-tools/security/incident-response-checklist.md @@ -37,9 +37,9 @@ B. Respond accordingly: More information on [incident response roles and responsibilities](incident-response-plan.md#roles-and-responsibilities): - - [Responder](incident-response-plan.md#responder) - - [Incident Commander (IC)](incident-response-plan.md#incident-commander) - - [Communications Officer (CO)](incident-response-plan.md#communications-officer) + - [Responder](incident-response-plan.md#responder) + - [Incident Commander (IC)](incident-response-plan.md#incident-commander) + - [Communications Officer (CO)](incident-response-plan.md#communications-officer) Use the [_Explicit Handoff Ceremony_](incident-response-plan.md#explicit-handoff-ceremony) when transferring/changing roles. diff --git a/common-practices-tools/security/incident-response-plan.md b/common-practices-tools/security/incident-response-plan.md index fbb53929ad..6151ef3478 100644 --- a/common-practices-tools/security/incident-response-plan.md +++ b/common-practices-tools/security/incident-response-plan.md @@ -161,18 +161,18 @@ B. Respond accordingly: An example message follows. The format is not important, but the information fields are useful. - **Description**: [Short description of the event and its impact] - **Status**: investigating - **Severity**: unknown - **Incident Reporter**: [name of the person who reported the issue] - **Incident Commander**: [your name] - **Responders**: [names of other _Responders_] - **Details**: [Extra details about the event] + **Description**: [Short description of the event and its impact] + **Status**: investigating + **Severity**: unknown + **Incident Reporter**: [name of the person who reported the issue] + **Incident Commander**: [your name] + **Responders**: [names of other _Responders_] + **Details**: [Extra details about the event] Observe the following guidelines for communications: - - During this stage of incident response, the event status is "investigating". - - An unconfirmed issue is called an _event_. A confirmed issue is called an _incident_. + - During this stage of incident response, the event status is "investigating". + - An unconfirmed issue is called an _event_. A confirmed issue is called an _incident_. 2. For an incident requiring more than 30 minutes to resolve: @@ -181,11 +181,11 @@ B. Respond accordingly: More information on [incident response roles and responsibilities](#roles-and-responsibilities): - - [Responder](#responder) - - [Incident Commander (IC)](#incident-commander) - - [Communications Officer (CO)](#communications-officer) + - [Responder](#responder) + - [Incident Commander (IC)](#incident-commander) + - [Communications Officer (CO)](#communications-officer) - Use the [Explicit Handoff Ceremony](#explicit-handoff-ceremony) when transferring/changing roles. + Use the [Explicit Handoff Ceremony](#explicit-handoff-ceremony) when transferring/changing roles. - False alarm @@ -226,11 +226,11 @@ _Reminder: Use the [Explicit Handoff Ceremony](#explicit-handoff-ceremony) when Here is an example _sitrep_: - **Subject**: \[sitrep\] Chickens are escaping - **Severity**: low - **Incident Commander**: Farmer Jane - **Responders**: Spot the Dog, Farmer Dave - **Description**: We've confirmed reports of escaped chickens. Looks like a fox may have tunneled into the run. Dave is working to fix the fence. Spot is tracking the fox. + **Subject**: \[sitrep\] Chickens are escaping + **Severity**: low + **Incident Commander**: Farmer Jane + **Responders**: Spot the Dog, Farmer Dave + **Description**: We've confirmed reports of escaped chickens. Looks like a fox may have tunneled into the run. Dave is working to fix the fence. Spot is tracking the fox. - For an issue with potential Project impact, ensure that a ticket/issue has been created. This should be done, even if the _First Responder/IC_ manages the incident fully, for example, by simply re-starting a service.