This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-incident-runbook-library.md

45 lines
1.2 KiB
Markdown

# Pattern: Incident Runbook Library
Status: seed
Readiness target: RL3 production
Primary owners: NetKingdom, Railiance platform, product repos
Genesis family: Detection and response
## Problem
Incident response becomes slow and inconsistent when teams rely on
memory or ad hoc decisions during security events.
## Context
Use this pattern for credential compromise, tenant isolation incidents,
malicious uploads, policy bypass, OpenBao recovery, build compromise,
and platform outage scenarios.
## Forces
- Incidents need quick containment.
- Actions must be safe, authorized, and reversible where possible.
- Evidence preservation matters.
- Tenant communication and post-incident learning need structure.
## Solution
Maintain a reviewed library of incident runbooks with triggers,
severity, roles, containment steps, evidence handling, tenant
communication, recovery, and post-incident follow-up.
## Verification
- High-value scenarios have runbooks with owners.
- Runbooks are tested through drills or tabletop exercises.
- Containment actions link to audit and decision records.
- Post-incident reviews create tracked follow-up work.
## Related Patterns
- Break-glass Access.
- Kill Switch / Tenant Freeze.
- Token Revocation Sweep.
- Central Audit Ledger.