This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-incident-runbook-library.md

1.2 KiB

Pattern: Incident Runbook Library

Status: seed Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform, product repos Genesis family: Detection and response

Problem

Incident response becomes slow and inconsistent when teams rely on memory or ad hoc decisions during security events.

Context

Use this pattern for credential compromise, tenant isolation incidents, malicious uploads, policy bypass, OpenBao recovery, build compromise, and platform outage scenarios.

Forces

  • Incidents need quick containment.
  • Actions must be safe, authorized, and reversible where possible.
  • Evidence preservation matters.
  • Tenant communication and post-incident learning need structure.

Solution

Maintain a reviewed library of incident runbooks with triggers, severity, roles, containment steps, evidence handling, tenant communication, recovery, and post-incident follow-up.

Verification

  • High-value scenarios have runbooks with owners.
  • Runbooks are tested through drills or tabletop exercises.
  • Containment actions link to audit and decision records.
  • Post-incident reviews create tracked follow-up work.
  • Break-glass Access.
  • Kill Switch / Tenant Freeze.
  • Token Revocation Sweep.
  • Central Audit Ledger.