# Security Incident Response

> A disciplined response to a suspected security incident that contains the threat, preserves evidence, and meets disclosure obligations.

**Category:** IT & Security

**When to use:** When a breach, account compromise, or data exposure is suspected.

**Trigger:** A suspected security incident

## Steps

1. Declare the incident and name a security incident lead immediately.
2. Contain first: isolate affected accounts and systems to stop spread.
3. Preserve evidence and logs before making changes that could destroy them.
4. Assess scope: what data, systems, and people are affected.
5. Notify the required parties on the legal and contractual timeline; do not over- or under-disclose.
6. Eradicate, recover, then run a blameless review and harden against a repeat.

## Outputs

- A contained incident with preserved evidence
- A scope assessment
- Required notifications sent and a hardening plan

## Tools

- SIEM / logs
- Identity / SSO
- Incident channel

## Notes

Preserve evidence before you start fixing. The instinct to clean up first is the instinct that destroys the trail you need.

---

Free SOP from the OrgTP Process Library — https://orgtp.com/process-templates/security-incident-response
Run it live with your humans and AI agents at https://orgtp.com.