Security Incident Response

Coordinate security and privacy teams during a live breach.

What Is Security Incident Response?

Security incident response under GDPR requires organizations to determine whether a security event involves personal data and, if so, to follow specific assessment and notification procedures within tight regulatory deadlines. Not every security incident is a data breach, but every data breach starts as a security incident. Making that determination quickly and accurately is the core skill this exercise develops. You are placed in command of an active security incident where your network monitoring detects suspicious data exfiltration patterns. You must coordinate between IT security, who want to contain and investigate the threat, and the privacy team, who need to assess the personal data implications and manage regulatory obligations. These two priorities sometimes conflict: forensic investigation may require keeping compromised systems online for evidence collection, while data protection demands immediate containment. The exercise walks you through building a cross-functional incident response workflow that satisfies both goals. You will practice the triage decision tree: classifying the incident severity, determining whether personal data was accessed or exfiltrated, assessing the number of affected individuals, and evaluating the risk to their rights. If the incident qualifies as a personal data breach, you must activate the Article 33 notification process while the investigation is still ongoing, which means reporting to the supervisory authority with incomplete information and committing to phased updates. According to IBM's 2024 Cost of a Data Breach Report, organizations with tested incident response plans reduce the average breach cost by USD 2.66 million compared to those without.

What You'll Learn in Security Incident Response

Security Incident Response — Training Steps

  1. Introduction

    Today's training will teach you about GDPR-compliant incident response - how to assess security events, determine breach notification requirements, and trigger the right procedures when personal data may be compromised.

  2. Starting Your Shift

    Alice begins her morning shift at the Security Operations Center (SOC). The dashboard shows normal activity levels - a few routine alerts that have already been triaged by the overnight team. SecureNet Financial handles payment processing for hundreds of enterprise clients. The SOC monitors for unauthorized access, data exfiltration, policy violations, and other security events around the clock.

  3. High-Severity Alert

    Suddenly, a high-severity alert appears on the dashboard. The SIEM has detected unusual login attempts - multiple failed authentication attempts followed by a successful login from a foreign IP address. The alert indicates the account belongs to a system administrator with elevated privileges. This could be a brute-force attack that succeeded in compromising credentials.

  4. Analyzing the Login Alert

    The alert details reveal concerning information: Account : sysadmin_jsmith (System Administrator) Source IP : 185.220.101.45 (Eastern Europe) Failed attempts : 47 over 3 hours Successful login : 06:47 AM local time Session duration : 2 hours 13 minutes The legitimate account owner, John Smith, is currently on vacation in Spain - but the login originated from a different country entirely.

  5. Second Alert Appears

    While reviewing the login alert, a second alert appears - medium severity. The Data Loss Prevention (DLP) system has flagged a large data export request. Someone used the compromised sysadmin account to export customer records from the production database. The export completed before the automated systems could block it.

  6. The Scope of the Breach

    The data export alert reveals the extent of potential damage: Records exported : 50,000 customer records Data types : Full names, email addresses, phone numbers, financial account numbers, transaction history Export destination : External FTP server (IP: 185.220.101.89) Time of export : 07:15 AM local time This is no longer just a security event - personal data has been exfiltrated to an external server controlled by unknown parties.

  7. Acknowledging the Alerts

    Alice needs to acknowledge both alerts to indicate they are under active investigation. This creates an audit trail showing when the SOC became aware of the potential breach. Under GDPR, the organization is considered 'aware' of a breach when the SOC identifies an incident involving personal data - not when the investigation concludes.

  8. Acknowledging the Data Export Alert

    The unauthorized access has been marked as acknowledged. Now Alice needs to acknowledge the data export alert as well. With both alerts acknowledged, there is a clear timestamp showing when SecureNet Financial became aware of the potential breach involving personal data.

  9. Checking Compliance Status

    Before escalating the incident, Alice checks the compliance dashboard to understand the organization's current security posture. This context helps determine what controls may have failed. Understanding existing compliance gaps can help explain how the breach occurred and what mitigations should be prioritized.

  10. Identifying the Vulnerability

    The compliance dashboard reveals a critical issue: Consent Management : Compliant DSAR Response Time : Compliant Data Encryption : Compliant MFA Enforcement : Warning - 23% of admin accounts lack MFA Data Retention : Compliant The compromised sysadmin account was one of the 23% without Multi-Factor Authentication enabled. This security gap allowed the attacker to gain access using only stolen credentials.