Incident Response (IR) Playbook — Lantern

Purpose

High-level incident response playbook for Lantern. Use this as the single source for triage, containment, remediation, and notification for security incidents.

Incident classification

Low: Single user complaint, minor suspicious activity, no PII exposure.
Medium: Multiple users affected, possible PII exposure, e.g., repeated fraudulent redemptions.
High / Critical: Confirmed data breach, admin account compromise, exfiltration, or payment data compromise.

Roles & contacts

Incident Lead: @oncall-security (rotating)
Engineering Lead: @owner
Legal: legal@lantern.example (or external counsel)
Communications: comms@lantern.example
CTO/CEO: founder@lantern.example

NOTE: Replace the placeholder contacts with actual team emails and phone numbers.

Triage checklist (first 60 minutes)

Confirm and classify the incident (Low/Medium/High).
Capture a snapshot: system logs, relevant DB records, last deploys, and admin activity.
If high/critical, escalate to Incident Lead and Legal immediately.
Contain: rotate credentials/keys, revoke compromised tokens, and disable affected services if needed (prefer graceful disablement to full outage if possible).
Start an incident timeline document (shared doc) and invite necessary stakeholders.

Containment & remediation (next 24 hours)

Block compromised accounts or sessions and require password resets / MFA re-enrollment.
Rotate service account keys and rotate relevant secrets in Secret Manager.
Apply hotfixes to code or infra as needed; push to staging then production via controlled deploys.
Run data integrity checks and begin forensic data gathering (logs, backups).

Notification & disclosure

Internal: keep stakeholders informed via incident timeline, and schedule a briefing within 4 hours for critical incidents.
Affected users: prepare notification templates (see NOTIFICATION_TEMPLATES.md in this folder) and send once scope confirmed.
Regulators: for certain incidents (e.g., GDPR-level PII exposure), legal will determine mandatory notifications and timescales.
Public: coordinate with comms + legal to prepare a public statement if required.

Post-incident

Conduct a post-mortem 3–7 days after containment, include root cause, impact, remediation timeline, and action items with owners.
Track follow-up tasks and verify remediations are completed.
Update this IR Playbook with lessons learned.

Playbook templates

Incident timeline: Use a shared Google Doc or project board and record time-ordered actions.
Access revocation checklist: list of services and tokens to rotate.
Notification templates: see NOTIFICATION_TEMPLATES.md.

This playbook is a living document. Keep it up to date and exercise it with tabletop drills at least twice per year.

Incident Response (IR) Playbook — Lantern ​

Purpose ​

Incident classification ​

Roles & contacts ​

Triage checklist (first 60 minutes) ​

Containment & remediation (next 24 hours) ​

Notification & disclosure ​

Post-incident ​

Playbook templates ​