IH&R Process Dashboard

Cybersecurity · Incident Management Module · Cyber.SoHo

⚠ Master Takeaway: The calm voice wins the room.

The Six-Phase IH&R Lifecycle

This section translates the theoretical 6-phase incident handling model into an interactive exploration tool. Click through the phases below to understand the specific actions, deliverables, and common pitfalls associated with each step of a cyber crisis. This structure emphasizes that incident response is a loop, not a straight line.

Interactive Process Map

Phase 1

Preparation

The boring phase that saves your job.

Key Actions & Deliverables

  • Build and socialise the IRP (Incident Response Plan)
  • Stand up the CSIRT
  • Stock the jump bag (forensic laptops, write-blockers, burner phones)
  • Run tabletop exercises and purple-team drills
  • Harden logging (SIEM, EDR, NDR)
  • Pre-align Legal, HR, PR, and Insurance

💡 Key Takeaway

The quality of your preparation is the single largest predictor of how painful the next incident will be.

Event

Anything observable on a system (a login, a packet, a file change). Not inherently bad.

Incident

An event that violates or threatens your security policy. Requires response.

Breach

An incident where loss of confidentiality of data is proven. Triggers legal clocks.

The Incident Response Plan (IRP)

This section provides a structured breakdown of the core document driving the IH&R process. By organizing the IRP components into functional blocks (The Anatomy, Building it, Activating it), users can quickly grasp how an IRP transitions from a static document to an operational tool during an emergency.

📖 Anatomy of an IRP

The 7 canonical sections. Real-world plans that drift from this checklist fail at 3 AM.

1. Purpose & Authority What it covers, who authorised it.
2. Roles & Responsibilities CSIRT, RACI, exec approval chain.
3. Severity Matrix SEV-1 to SEV-4 with concrete examples.
4. Process by Phase Tied to the 6-phase lifecycle.
5. Comms Protocols Internal, external, regulatory axes.
6. Tooling & Evidence SIEM, forensics, chain of custody.
7. Post-Incident Review PIR templates & KPIs.

First 15 Minutes Activation

The first 15 minutes set the tone for the next 15 days. Make them disciplined.

  • 1 Incident Commander declared
  • 2 War-room bridge opened (out-of-band)
  • 3 Clock started — documented in writing
  • 4 Scope defined (known systems/users)
  • 5 Severity rated + communicated

Order of Operations (Building)

1. Inventory Crown Jewels 2. Threat Model 3. Map Phases 4. Define Severity 5. Define Roles 6. Write Playbooks 7. DRILL IT

Communication & Escalation

Communication breakdowns cause more business damage than malware. This interface visualizes the rigid structures required for crisis communication: the parallel communication axes, the strict severity-based notification SLAs, and the critical concept of out-of-band fallbacks.

1. Internal Axis

War-room chat, exec SITREPs every 30 min, ops tickets, all-hands advisories.

Single Owner Required

2. External Axis

Customers, partners, media, status pages, social media holding statements.

Single Channel of Record

3. Regulatory Axis

Data-protection authorities, sector CERTs, stock-exchange formal disclosures.

Strict Deadlines

Severity Notification Matrix

Severity Examples Notify Within Audience
SEV-1 Critical Business-down ransomware, mass PII theft 15 min CEO, CIO, CISO, Legal, DPO, full CSIRT
SEV-2 High Contained malware in one BU; limited data exposure 1 hour CISO, SOC manager, affected system owners
SEV-3 Medium Isolated endpoint alert; unusual priv activity 4 hours SOC Tier-2, system owner
SEV-4 Low Low-confidence IoC match, policy violation Next Business Day SOC Tier-1 only
Escalation Rule: Promote severity the moment scope grows. Never "de-escalate" quietly.

Compliance & Documentation

"If it is not documented, it did not happen." This section aggregates the scattered compliance requirements into a unified dashboard, showing the exact evidentiary requirements per phase and the unforgiving regulatory clocks that start ticking the moment a breach is discovered.

The Reporting Clock

  • PCI-DSS

    Suspected cardholder-data compromise

    Immediately

    To acquirer/brands

  • NIS2 (EU) / DORA

    Significant incident / Major ICT-related incident

    4 to 24 hours

    Early warning / Initial

  • GDPR

    Personal-data breach (AEPD in Spain, etc.)

    72 hours

    To DPA

  • SEC (US)

    Material cybersecurity incident

    4 Bus. Days

    On Form 8-K

  • HIPAA (US)

    Breach of PHI (>500 individuals)

    60 Days

    To HHS + media notice

🔒

Chain of Custody

Every piece of evidence requires a signed, timestamped record. One broken link = inadmissible.

  • Who collected it?
  • When, where, what tool?
  • Hash value (SHA-256 min)
  • Who held/transferred it?
Work on copies, keep originals sealed.

Post-Incident Review (PIR) & Metrics

The final phase of IH&R closes the loop. This dashboard visualizes the core metrics (MTTD/MTTR) used to prove the security team is actually learning. It also structures the root-cause analysis process (5 Whys / Ishikawa), turning the pain of an incident into concrete, trackable improvements.

Response Maturity Trend (Simulated)

Elite target: MTTD in minutes, MTTR in hours.

🔍 The 5 Whys Example

Problem: Ransomware executed.

Why? User clicked a link.

Why? EDR rule didn't fire.

Why? Policy not deployed to subnet.

Why? Onboarding checklist missing step.

Why? (Root) Checklist is in a wiki nobody reads.

Feeding Back into Preparation

Every PIR must produce action items in at least two of these buckets:

1. Detection
2. Prevention
3. Process
4. People