Incident Response — Study Guide

Review these materials before taking the exam. All links open in the Krumware Confluence IO space.

Key Concepts

When in doubt, report it. False alarms are fine. Hidden incidents are not.
Severity levels: Critical (Sev 1) — confirmed breach; Major (Sev 2) — significant event; Minor (Sev 3) — limited impact; Informational (Sev 4) — worth documenting.
You don't determine severity. Just report what you see — the response team classifies it.
Reporting order: Slack (primary) → Email (secondary) → Phone (critical).
What to include: What happened, when, what systems/data affected, actions taken, how to reach you.
What NOT to do: Don't investigate, don't fix it yourself, don't wait, don't hide it, don't forward phishing, don't post on social media.
No punishment for reporting. There are consequences for hiding incidents.
Post-incident reviews are blameless — focused on learning, not punishment.

Document	Relevance
TRN-005 Incident Response Quick Reference	Full quick reference — decision tree, severity levels, reporting channels, what to include
POL-013 Incident Response Policy	Governing policy — incident classification, response team, notification requirements, post-incident review
POL-010 Security Awareness & Training Policy	Training requirements including incident reporting awareness

These are response team references. You don't need to memorize them, but knowing they exist helps you understand the process.

Document	Scenario
PLB-001 Ransomware Playbook	Ransomware detected on a system
PLB-002 Data Breach Playbook	Unauthorized access to or exposure of data
PLB-003 Credential Compromise Playbook	Credentials exposed or stolen
PLB-004 Lost/Stolen Device Playbook	Laptop or phone lost or stolen
PLB-005 Platform Incident Playbook	SaaS platform outage or breach

Document	Relevance
PRC-007 Incident Response Procedure	Step-by-step incident handling process for the response team