Incidents happen, and the most important part of IR is the planning stage. You should have a process or checklists with steps to make sure it goes as smoothly and fast as possible.
When your forensic analysis shows or likely determines PII was accessed, your executives need to have the right information to make a decision. You should have a memo which breaks down what data was on the system and factuial evidence of the data accessed. It should be in layman terms where the executives can lean on the analysis for decisions. “>Additionally, its good to have the investigators opinion of the likelihood data was accessed in the memo. A typical example is a web server defaced, but no additional tools or activity happened on the server. “>The key is understanding your management and have discussions early on about when to notify and when not to notify.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.