Incident notification procedure [UPDATED x2]

I have developed a generic procedure documenting the incident notification process for sale through SecAware

I'm surprised how involved, complex, time-boxed and fraught the disclosure process turned out to be - depending, of course, on the nature and scale of the incident (perhaps a ransomware or malware infection, privacy breach, hack or fraud), who needs to be informed about it, and how to do so.

Having been mined by Google's Bard, I refined and blended-in some raw content into the template, although I definitely wouldn't advise anyone to depend entirely on AI/ML/LLM robots for this in real time, particularly as they are not reliable (another little cluster of AI-related information risks there). So far, I've invested days researching the topic, then assembling, fleshing out, restructuring, expanding and genericising the content to suit our purposes, adding a smattering of Hinson tips throughout. I'm relieved not to be winging-it in the midst of a corporate crisis.

Here's the TL;DR version summarising 8 of the 15 steps in the full procedure as one-liners:
  1. Before an incident occurs, prepare an incident notification strategy.
  2. When an incident occurs, await the go-ahead to prepare notifications.
  3. Clarify the nature of the incident, gathering relevant information. 
  4. Determine who needs to be informed and how.
  5. Choose the appropriate message template/s and update accordingly. 
  6. Carefully check the wording of updated template/s.
  7. Pass the template/s through the management chain for approval.
  8. When approved, publish and be damned!
Aside from the actual procedure (5 pages), the appended fill-in-the-blanks notification messages for various types of incident and audiences (another 5 pages) will hopefully prompt customers to think things through and make the necessary preparations in advance, given that responding competently on the fly during an actual incident is bound to be tough, adding to the stress. This would be a valuable extension to the usual business continuity exercises.
"The key is to have a response panel established long before any incident. There may be several levels of panel(s) based on how impactful the incident becomes, again all fleshed out long before hand. Having this as part of Business Continuity is really the only workable solution. Not only do you need the panel(s) you also need to have all the decision points and the actual decisions preloaded - things like:
      • Do we isolate the system, subnet, business unit? 
      • Do we pull the plug on the Internet? 
      • Do we shut down the entire data center? 
All of that is dependent on the enterprise and their specific risk model. And obviously some of those decision points will require someone above the level of a CISO to make."
[Thanks for that, Bill Blake!]

UPDATE May 24th: the procedure template is finished and up for sale through the SecAware website. It ended up being 10 pages including a process flow diagram on the front and a selection of messages to customise.


UPDATE May 25th: if you don't (yet!) have the benefit of the SecAware procedure and the templates at the rear, you should be able to generate your own templates from first principles, perhaps using examples from actual notifications published on the web or sent to you as an affected party. This one, for instance, follows a logical sequence in 5 carefully-worded paragraphs ... which have been duly picked up and reported like this

There are of course many such notifications appearing daily - fortunately for those of us seeking realistic examples, unfortunately for those impacted by the incidents.

It's down to you and your management to decide how much information to disclose, in what format/s, to whom, when etc. and to prepare, authorise and release it following a sequence similar to that shown above. Good luck doing all of that smoothly and efficiently following an actual incident. Just $20 invested in the SecAware template, today, will help take the pressure off when you find yourself in the hot seat. At the sharp end. Under more pressure than a diver in the Mariana Trench. With a creaking submersible and lingering doubts about the company that certified those old silicone rubber door seals ...