Incident Response Patterns

Situation: During incident triage, instinct is to immediately debug root cause. But stakeholders need impact assessment first.

Context: CHLA InfoSec incident response, various severity levels

The Pattern: Always determine IMPACT first (who’s affected, what’s broken, is data at risk), then pursue root cause. Communicate impact to stakeholders within 15 minutes. Root cause investigation runs in parallel but doesn’t block communication.

Principle: Stakeholders don’t care about your debug process. They care about: (1) Is it bad? (2) Who’s affected? (3) When will it be fixed? Answer these first.

Source: Multiple CHLA incidents, InfoSec response practice