Oct 30 16:38:30 UTC 2019

##ROUGHDRAFT##

Crash course on how to have an operational incident.

Hypothetical : Account compromise
What would you do? 

@hashoctothorpe 

----

Urgent v Important : Urgent is time sensitive, Important has danger or consequences
An emergency is something that is Urgent and Important. Example is getting lunch is urgent, knowing where your kids are is Important. 

What do I do next, and how do I get more help? Are questions that people will have that you should expect.

Remove the thinking from the emergency / incident response, this is where frameworks come in. 

What is an emergency?
You need to have confidence in your monitoring, and agreement on what metrics or issues would constitute an emergency.

What to do next
When an emergency happens

How to get help?

Incident response is a team sport. 
  - Assemble
  - Communicate
  - Assess

Communicate the issue and customer impact out. There should be an incident commander or lead to do the communication.

Delegate and avoid duplicating effort. 

Start of Authority -- Incident Commander : sole person in charge, so don't let managers or other people countermand 

When is the incident over? 

Shifts should be 4 hours or less, not more.  

Is it an emergency?; Who is the team; Who will organize them; Where wil they organize; How will they talk; Shifts; Dispersal of people

Everyone should be trained on this process. 

Next Step
- How do you communciate
- When and how do you engage lawyers, or PR people
- When do you talk to executives
- Communication out