- Record the date and time when the breach was discovered, as well as the current date and time when response efforts begin, i.e. when someone on the response team is alerted to the breach.
- Start Pylon Trouble Ticket as the primary method to document response and investigation
- If not done, alert everyone on the client contact team to begin executing the preparedness plan.
- Secure the premises around the area where the data breach occurred to help preserve evidence.
- Stop additional data loss. Take affected machines offline but do not turn them off or start probing into the computer until a third-party forensics team of client designation arrives.
- Retain all onsite system backups in the same forensic stasis as the impacted devices
- Document everything known thus far about the breach: Who discovered it, who reported it, to whom was it reported, who else knows about it, what type of breach occurred, what was stolen, how was it stolen, what systems are affected, what devices are missing, etc.
Responding to a Cyber Incident: NIST
CIS Incident Response and Management: CIS