fairlane.systems

INCIDENT RESPONSE · SECURITY & OPS

Incident response playbook: NIST SP 800-61 six-phase model for SMEs

Structured response to security incidents in six phases, with FADP-compliant 72-hour notification to the FDPIC and tooling such as TheHive, Wazuh, and MISP.

Researched & fact-checked by: · As of: 2026-05

What is an incident response playbook?

An incident response playbook is a pre-written runbook kept ready for the moment an IT security event threatens a fiduciary, law firm, or SME. The global de-facto standard is NIST Special Publication 800-61 Revision 2, a recommendation by the US National Institute of Standards and Technology. It defines six phases: preparation, detection and analysis, containment, eradication, recovery, and lessons learned. The plan is not a 200-page document but a collection of short, enforceable checklists per incident type (ransomware, data leak, successful phishing, compromised account, LLM data leak).

The duty to prepare in a structured way has been Swiss law since 1 September 2023 under the revised Federal Act on Data Protection (FADP). Article 24 requires controllers to notify the FDPIC of a data security breach likely to result in high risk to affected persons as soon as possible. Practice has settled on 72 hours after becoming aware, mirroring GDPR Article 33. Without a playbook, that deadline is not achievable.

Why it matters

Without a playbook an SME reacts ad-hoc in an incident. Improvisation costs hours during which damage grows, evidence is lost, and notification deadlines slip. Swiss FADP does not impose direct fines for late notification, but reputational risk and civil liability are real. In the EU, late or omitted notifications under GDPR carry fines up to 10 million euro or 2 percent of global annual revenue.

Take a fiduciary: a Friday-evening ransomware event requires client communication by Monday and the FDPIC notification by Wednesday. Without prepared templates, without contacts for cantonal data protection officers, without clear role assignment in a five-person team, this is unachievable.

For AI operators, a new incident category arrives in 2026: LLM incidents. A poorly secured prompt injection can cause a model to leak client data. A hallucination can cause client damage with liability impact. Shadow AI in the office (staff using ChatGPT with client data) is a breach of professional secrecy under Swiss Criminal Code Art. 321. The playbook must cover these.

How the six-phase model works

Phase 1 - Preparation. Before any incident, the preconditions are set. This includes: an up-to-date contact list with the FDPIC hotline (058 462 43 95), responsible cantonal data protection officers, cantonal or federal police (NCSC for critical infrastructure), the cyber insurer, and IT forensic partners. It includes communication templates for clients, staff, regulators, and media. It includes a bootable forensic kit on USB: SIFT Workstation, Velociraptor client, Wireshark, dd, Autopsy. Roles are clearly assigned: Incident Commander (typically the managing director or CISO), Communications Lead, Tech Lead, Legal Lead, Recorder.

Phase 2 - Detection and Analysis. Incidents are detected via monitoring, EDR agents (Wazuh, CrowdStrike Falcon), SIEM alerts, or staff reports. TheHive Project is the leading open-source incident platform in 2026 for triage and case management; Cortex extends it with automated IOC analysis (hash lookups against VirusTotal, AbuseIPDB, MalwareBazaar). MISP shares threat intelligence with other Swiss organisations through the Swiss MISP community.

Phase 3 - Containment. Immediate measures that limit damage without destroying evidence. For ransomware: isolate affected hosts from the network but do not shut down (preserve RAM for forensics). For compromised accounts: rotate passwords, invalidate sessions, enforce MFA. For data leaks: block the exfiltration channel and log accesses.

Phase 4 - Eradication. Eliminate the root cause: remove malware, patch the vulnerability, delete or rebuild compromised accounts, search for backdoor mechanisms.

Phase 5 - Recovery. Restore from backup with verified cleanliness (mount in isolated network, antivirus scan before production), intensified monitoring in the first 72 hours after restore, client communication.

Phase 6 - Lessons Learned. Post-mortem within 14 days, written timeline, identification of weaknesses, playbook update. NIST emphasises this phase as the only one that builds long-term organisational maturity.

Set up the playbook in 6 steps

  1. 01Asset inventory: which data, which systems, which confidentiality tiers, which legal duties per data category.
  2. 02Assign roles: Incident Commander, Tech Lead, Communications Lead, Legal Lead, Recorder with a deputy per role.
  3. 03Contact list: FDPIC, cantonal data protection officer, NCSC, cyber insurer, IT forensic partner, key clients, media spokesperson.
  4. 04Templates: FDPIC notification (prepare the online form), client emails per incident type, internal staff letter, media statement.
  5. 05Tools kit: deploy TheHive Project plus Cortex (Docker), Wazuh agent on all servers, evaluate joining the Swiss MISP community.
  6. 06Tabletop exercise: run an incident scenario twice a year, fold lessons learned into the playbook.

When to write a playbook

A playbook is mandatory reading for any organisation that (a) processes personal data (FADP notification duty), (b) keeps business records digitally (Swiss Code of Obligations Art. 957a retention duty), or (c) operates under professional secrecy (Swiss Criminal Code Art. 321, BGFA for lawyers, MedBG for physicians).

Typical situations: a fiduciary office with three or more staff running payroll for clients. A law firm with a client base and electronic case files. An architecture practice storing plans and fee agreements digitally. An insurance agency with customer data in a CRM. A medical practice with electronic health records. An e-commerce SME holding card data.

Even a single AI consultant operating an LLM bot for a client should keep a mini-playbook - if only because the client will demand it before signing the engagement.

When a playbook is not enough

A playbook does not replace technical controls. If backups are not running, monitoring is absent, MFA is not enforced, and patch management is missing, the playbook lacks its foundation. Steps such as restore-from-backup require that the backup exists and is tested.

A playbook also does not replace practice. A plan never rehearsed will fail on first real use. NIST recommends at least annual tabletop exercises: the team walks through an incident without staging it for real and checks that the playbook holds. Empirical data from 2026: 60 percent of SME playbooks fail at first tabletop (outdated contacts, missing access rights for the tech lead during holiday absence, no backup-mediation contract).

For high-risk organisations (banks, insurers, critical infrastructure under NCSC scope), a self-built playbook is not sufficient. FINMA circulars, SECO IKS requirements, and ISO/IEC 27035 apply, plus a professional incident response retainer with guaranteed SLA.

Trade-offs

STRENGTHS

  • Meets FADP Art. 24 and GDPR Art. 33 notification duties within 72 hours
  • Reduces ad-hoc damage by a factor of 3 to 10 in real incidents
  • Builds trust with clients and insurers (often a cyber-policy prerequisite)
  • Unlocks an organisational maturity step through the lessons-learned phase

WEAKNESSES

  • Initial effort of 3 to 8 person-days depending on organisational complexity
  • Maintenance: two tabletop exercises per year, ongoing contact-list upkeep
  • Useless without technical foundations (backup, monitoring, MFA)
  • Team adoption needs explicit management sponsorship

FAQ

Is FDPIC notification always required?

No. FADP Art. 24 requires notification only for a data security breach likely to lead to high risk for the personality or fundamental rights of affected persons. Example: theft of a laptop with encrypted disk and no access is usually not high risk. Theft of an unencrypted client file database is. The risk assessment must be documented even if no notification is filed - that is part of accountability.

What does TheHive plus Cortex cost?

Both are open source under AGPL v3 (TheHive 5) and LGPL (Cortex). Hardware for a 10-person SME: one Docker host with 4 vCPU, 8 GB RAM, 100 GB disk - about CHF 25/month at Hetzner. Setup effort: 2 to 4 person-days. Commercial TheHive Cloud (StrangeBee) starts at EUR 250/month for small teams, worth considering from around 50 incidents/year.

What does an LLM incident look like in practice?

Example case from May 2026: a fiduciary chatbot with RAG over client files answers a clever prompt-injection prompt from an unknown user with excerpts from a third partys file. This is simultaneously a FADP breach (Art. 24), a professional secrecy violation (Swiss Criminal Code Art. 321), and potentially relevant under the EU AI Act. Containment: take the chatbot offline, analyse the audit log, identify affected clients. FDPIC notification within 72 hours, immediate client information, post-mortem with system-prompt refactoring and additional output sanitisation.

How often must the playbook be updated?

At least after every tabletop exercise and after every real incident during the lessons-learned phase. Plus a scheduled review once a year: refresh contacts, add new threat scenarios (new phishing variants, new ransomware families). For major regulatory changes (EU AI Act, FADP revision) trigger a targeted review.

Related topics

LOGGING · SECURITY & OPSLogging and audit trail: audit-proof logging under Swiss CO Art. 957a for SMEsFIREWALL · SECURITY & OPSFirewall and CrowdSec: layered protection for SME servers in 2026DPIA · COMPLIANCEDPIA for AI systems: Data Protection Impact Assessment under revDSG Art. 22 and GDPR Art. 35ART. 321 SCC · COMPLIANCEProfessional secrecy (Art. 321 SCC) and AI use: what lawyers, notaries, physicians and auditors must observeMANAGED · SERVICEManaged Service & Monitoring: we keep it running, you use itGRAFANA · TECH STACKGrafana, Prometheus, Loki: monitoring stack for container apps and LLM workflows

Sources

  1. NIST SP 800-61 Rev. 2 - Computer Security Incident Handling Guide · 2026-04
  2. EDÖB - Meldung von Datenschutz-Verletzungen (Verfahren und Online-Formular) · 2026-05
  3. BSI IT-Grundschutz DER.2.1 Behandlung von Sicherheitsvorfällen · 2026-03
  4. TheHive Project 5 - Documentation (StrangeBee) · 2026-05
  5. NCSC Schweiz - Bundesamt für Cybersicherheit, Meldung von Vorfällen · 2026-04

FITS YOUR STACK?

What this looks like in your business – a 30-minute intro call.

Book a call