Incident Response — Security Checklist

Do you maintain a documented incident response (IR) policy that defines scope, objectives, and roles?

Do you have a designated incident commander and incident response team with clearly defined roles, responsibilities, and decision-making authority? Is the incident commander role clearly established to coordinate response activities, make time-sensitive decisions, and ensure clear accountability during incidents?

Do you have designated subject matter experts (ex. Core Devs) who understand different parts of protocol internals and can analyze ongoing attacks and prepare response strategies for potential attack vectors?

Do you have designated signer roles with documented authority and procedures for executing emergency transactions (pausing, freezing, parameter changes)?

Do you periodically review and update IR team roles, authorities, and escalation measures to reflect protocol changes, new teams, or evolving governance structures?

Do you have designated Communications personnel responsible for public information sharing and incident response record-keeping?

Do you maintain Legal support with documented procedures for analyzing legal and regulatory implications of response actions, approving whitehat engagement agreements, and reviewing public communications?

Do you have documented procedures for coordinating between technical teams (Core Devs/Auditors) and operational teams (Security Council/Communications) during incidents?

Do you maintain contact methods & communication channels for external companies that run protocols you depend on, or that depend on your protocol?

Do you maintain documented monitoring coverage for critical systems, protocols, and infrastructure components with 24/7 capabilities and procedures for after-hours alert handling?

Do you have automated alerting configured with embedded playbooks for security events, detecting false alarms, and operational issues?

Do you conduct regular alert testing and drills to ensure monitoring systems function correctly under various scenarios?

Do you have documented procedures for alert triage, classification, and escalation to appropriate response teams?

Do you maintain log retention policies with adequate preservation periods for security and infrastructure logs (including cloud provider logs) to support incident investigation and forensic analysis?

Do you maintain procedures for monitoring leaked credentials and compromised accounts associated with the organization?

Do you have procedures for monitoring organizational social media accounts & websites for indicators of compromise or unauthorized activity?

Do you maintain requirements for immutable logging and tamper-evident alerting channels that trigger alerts if logs are altered or monitoring is disabled?

Do you operate redundant paging systems with documented procedures and regular testing?

Do you maintain current on-call schedules with documented coverage requirements and backup procedures?

Do you have documented escalation procedures with time-based triggers and management notification requirements?

Do you define and track response time targets for different incident severity levels?

Do you maintain documented response playbooks for common incident types (protocol exploits, infrastructure failures, access control breaches, data security incidents, and supply chain compromises)?

Do you have step-by-step procedures for initial response actions including containment, evidence preservation, and stakeholder notification?

Do you maintain role-based playbooks that define specific responsibilities for different team members (Core Devs, Auditors, Signers, Communications, Legal) during incidents?

Do you maintain procedures for coordinating multisig operations during incidents including signer availability and cross-timezone challenges?

Do you have documented criteria for major response decisions (system shutdown, public disclosure, external assistance) and escalation policies for when to engage leadership?

Do you maintain contact information and procedures for engaging external expertise (forensics, legal, specialized consultants)?

Do you maintain emergency cards or quick-reference materials containing key personnel and response steps for each protocol component?

Do you maintain multiple communication channels (primary and backup) with documented procedures for reaching signers across time zones, including during emergencies?

Do you maintain pre-signed emergency transactions for critical protocol functions (pause, freeze, parameter changes)?

Do you have documented procedures for rapidly executing emergency transactions with minimal coordination time?

Do you maintain multiple signing methods and backup procedures for signers transaction execution?

Do you have a documented procedure for rotating keys and replacing compromised signers?

Do you maintain dedicated communication channels for incident response with documented access controls, member lists, and procedures for rapidly creating new incident-specific channels when needed?

Do you have documented procedures for incident status reporting including frequency, format, and distribution lists?

Do you maintain secure communication procedures for sensitive incident information?

Do you maintain documented procedures for coordinating communications with protocol users during and post-exploit?

Do you have pre-approved communication templates and escalation procedures for different incident types and severity levels?

Do you maintain procedures for managing public information flow and preventing misinformation during active incidents?

Do you conduct regular incident response drills that test pager systems, escalation procedures, team coordination, monitoring systems, containment procedures, and recovery processes? Do you evaluate drill performance, identify gaps, and track improvement actions based on both exercise findings and real incident experience?