Insight • Forensic Readiness • Incident Response
Incident Ownership: Name the IC and Decision Rights
If incident ownership isn’t named, you don’t have incident response. You have a meeting.
The 10-second test
Most “IR plans” fail because nobody can answer these in 10 seconds:
- Who is the Incident Commander?
- Who can isolate systems?
- Who can disable accounts / reset creds?
- Who approves customer / legal comms?
- Who owns the evidence timeline?
When authority is unclear, speed turns into chaos:
- Teams argue instead of acting
- Work duplicates
- Evidence gets overwritten
- Decisions get delayed “until leadership joins”
Minimum viable ownership
You don’t need a huge org chart. You need named ownership and written decision rights.
Ownership model (simple, enforceable)
- Incident Commander (IC) — single accountable lead for pace, priorities, and decisions.
- Deputy IC — backup + continuity (shift change, fatigue, availability).
-
Decision rights — written down for:
- Containment actions (isolate, block, disable, reset)
- Customer / legal / regulator communications
- Emergency spend (tools, IR support, contractors)
- Evidence owner — timeline + log preservation + chain-of-custody discipline (so investigations don’t collapse later).
- One channel, one doc — single source of truth.
What “written decision rights” actually means
The goal is not bureaucracy. The goal is fewer debates during impact. Decision rights should specify:
- What actions are pre-approved for the IC (and when)
- What actions require a designated approver (name/role)
- What evidence must be preserved before changes (where feasible)
- How exceptions are logged (who, why, time)
Design authority in month zero
If you want control in hour one, you must assign authority in month zero. Make it explicit, rehearse it, and keep it current.