firefrost-gaming/claude-skills-reference
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d740f77ef74494dea032333894e335f6332cb423
claude-skills-reference/c-level-advisor/ciso-advisor/references/incident_response.md
Alireza Rezvani 466aa13a7b feat: C-Suite expansion — 8 new executive advisory roles (2→10) (#264) 
* feat: C-Suite expansion — 8 new executive advisory roles

Add COO, CPO, CMO, CFO, CRO, CISO, CHRO advisors and Executive Mentor.
Expands C-level advisory from 2 to 10 roles with 74 total files.

Each role includes:
- SKILL.md (lean, <5KB, ~1200 tokens for context efficiency)
- Reference docs (loaded on demand, not at startup)
- Python analysis scripts (stdlib only, runnable CLI)

Executive Mentor features /em: slash commands (challenge, board-prep,
hard-call, stress-test, postmortem) with devil's advocate agent.

21 Python tools, 24 reference frameworks, 28,379 total lines.
All SKILL.md files combined: ~17K tokens (8.5% of 200K context window).

Badge: 88 → 116 skills

* feat: C-Suite orchestration layer + 18 complementary skills

ORCHESTRATION (new):
- cs-onboard: Founder interview → company-context.md
- chief-of-staff: Routing, synthesis, inter-agent orchestration
- board-meeting: 6-phase multi-agent deliberation protocol
- decision-logger: Two-layer memory (raw transcripts + approved decisions)
- agent-protocol: Inter-agent invocation with loop prevention
- context-engine: Company context loading + anonymization

CROSS-CUTTING CAPABILITIES (new):
- board-deck-builder: Board/investor update assembly
- scenario-war-room: Cascading multi-variable what-if modeling
- competitive-intel: Systematic competitor tracking + battlecards
- org-health-diagnostic: Cross-functional health scoring (8 dimensions)
- ma-playbook: M&A strategy (acquiring + being acquired)
- intl-expansion: International market entry frameworks

CULTURE & COLLABORATION (new):
- culture-architect: Values → behaviors, culture code, health assessment
- company-os: EOS/Scaling Up operating system selection + implementation
- founder-coach: Founder development, delegation, blind spots
- strategic-alignment: Strategy cascade, silo detection, alignment scoring
- change-management: ADKAR-based change rollout framework
- internal-narrative: One story across employees/investors/customers

UPGRADES TO EXISTING ROLES:
- All 10 roles get reasoning technique directives
- All 10 roles get company-context.md integration
- All 10 roles get board meeting isolation rules
- CEO gets stage-adaptive temporal horizons (seed→C)

Key design decisions:
- Two-layer memory prevents hallucinated consensus from rejected ideas
- Phase 2 isolation: agents think independently before cross-examination
- Executive Mentor (The Critic) sees all perspectives, others don't
- 25 Python tools total (stdlib only, no dependencies)

52 new files, 10 modified, 10,862 new lines.
Total C-suite ecosystem: 134 files, 39,131 lines.

* fix: connect all dots — Chief of Staff routes to all 28 skills

- Added complementary skills registry to routing-matrix.md
- Chief of Staff SKILL.md now lists all 28 skills in ecosystem
- Added integration tables to scenario-war-room and competitive-intel
- Badge: 116 → 134 skills
- README: C-Level Advisory count 10 → 28

Quality audit passed:
 All 10 roles: company-context, reasoning, isolation, invocation
 All 6 phases in board meeting
 Two-layer memory with DO_NOT_RESURFACE
 Loop prevention (no self-invoke, max depth 2, no circular)
 All /em: commands present
 All complementary skills cross-reference roles
 Chief of Staff routes to every skill in ecosystem

* refactor: CEO + CTO advisors upgraded to C-suite parity

Both roles now match the structural standard of all new roles:
- CEO: 11.7KB → 6.8KB SKILL.md (heavy content stays in references)
- CTO: 10KB → 7.2KB SKILL.md (heavy content stays in references)

Added to both:
- Integration table (who they work with and when)
- Key diagnostic questions
- Structured metrics dashboard table
- Consistent section ordering (Keywords → Quick Start → Responsibilities → Questions → Metrics → Red Flags → Integration → Reasoning → Context)

CEO additions:
- Stage-adaptive temporal horizons (seed=3m/6m/12m → B+=1y/3y/5y)
- Cross-references to culture-architect and board-deck-builder

CTO additions:
- Key Questions section (7 diagnostic questions)
- Structured metrics table (DORA + debt + team + architecture + cost)
- Cross-references to all peer roles

All 10 roles now pass structural parity:  Keywords  QuickStart  Questions  Metrics  RedFlags  Integration

* feat: add proactive triggers + output artifacts to all 10 roles

Every C-suite role now specifies:
- Proactive Triggers: 'surface these without being asked' — context-driven
  early warnings that make advisors proactive, not reactive
- Output Artifacts: concrete deliverables per request type (what you ask →
  what you get)

CEO: runway alerts, board prep triggers, strategy review nudges
CTO: deploy frequency monitoring, tech debt thresholds, bus factor flags
COO: blocker detection, scaling threshold warnings, cadence gaps
CPO: retention curve monitoring, portfolio dog detection, research gaps
CMO: CAC trend monitoring, positioning gaps, budget staleness
CFO: runway forecasting, burn multiple alerts, scenario planning gaps
CRO: NRR monitoring, pipeline coverage, pricing review triggers
CISO: audit overdue alerts, compliance gaps, vendor risk
CHRO: retention risk, comp band gaps, org scaling thresholds
Executive Mentor: board prep triggers, groupthink detection, hard call surfacing

This transforms the C-suite from reactive advisors into proactive partners.

* feat: User Communication Standard — structured output for all roles

Defines 3 output formats in agent-protocol/SKILL.md:

1. Standard Output: Bottom Line → What → Why → How to Act → Risks → Your Decision
2. Proactive Alert: What I Noticed → Why It Matters → Action → Urgency (🔴🟡)
3. Board Meeting: Decision Required → Perspectives → Agree/Disagree → Critic → Action Items

10 non-negotiable rules:
- Bottom line first, always
- Results and decisions only (no process narration)
- What + Why + How for every finding
- Actions have owners and deadlines ('we should consider' is banned)
- Decisions framed as options with trade-offs
- Founder is the highest authority — roles recommend, founder decides
- Risks are concrete (if X → Y, costs $Z)
- Max 5 bullets per section
- No jargon without explanation
- Silence over fabricated updates

All 10 roles reference this standard.
Chief of Staff enforces it as a quality gate.
Board meeting Phase 4 uses the Board Meeting Output format.

* feat: Internal Quality Loop — verification before delivery

No role presents to the founder without passing verification:

Step 1: Self-Verification (every role, every time)
  - Source attribution: where did each data point come from?
  - Assumption audit: [VERIFIED] vs [ASSUMED] tags on every finding
  - Confidence scoring: 🟢 high / 🟡 medium / 🔴 low per finding
  - Contradiction check against company-context + decision log
  - 'So what?' test: every finding needs a business consequence

Step 2: Peer Verification (cross-functional)
  - Financial claims → CFO validates math
  - Revenue projections → CRO validates pipeline backing
  - Technical feasibility → CTO validates
  - People/hiring impact → CHRO validates
  - Skip for single-domain, low-stakes questions

Step 3: Critic Pre-Screen (high-stakes only)
  - Irreversible decisions, >20% runway impact, strategy changes
  - Executive Mentor finds weakest point before founder sees it
  - Suspicious consensus triggers mandatory pre-screen

Step 4: Course Correction (after founder feedback)
  - Approve → log + assign actions
  - Modify → re-verify changed parts
  - Reject → DO_NOT_RESURFACE + learn why
  - 30/60/90 day post-decision review

Board meeting contributions now require self-verified format with
confidence tags and source attribution on every finding.

* fix: resolve PR review issues 1, 4, and minor observation

Issue 1: c-level-advisor/CLAUDE.md — completely rewritten
  - Was: 2 skills (CEO, CTO only), dated Nov 2025
  - Now: full 28-skill ecosystem map with architecture diagram,
    all roles/orchestration/cross-cutting/culture skills listed,
    design decisions, integration with other domains

Issue 4: Root CLAUDE.md — updated all stale counts
  - 87 → 134 skills across all 3 references
  - C-Level: 2 → 33 (10 roles + 5 mentor commands + 18 complementary)
  - Tool count: 160+ → 185+
  - Reference count: 200+ → 250+

Minor observation: Documented plugin.json convention
  - Explained in c-level-advisor/CLAUDE.md that only executive-mentor
    has plugin.json because only it has slash commands (/em: namespace)
  - Other skills are invoked by name through Chief of Staff or directly

Also fixed: README.md 88+ → 134 in two places (first line + skills section)

* fix: update all plugin/index registrations for 28-skill C-suite

1. c-level-advisor/.claude-plugin/plugin.json — v2.0.0
   - Was: 2 skills, generic description
   - Now: all 28 skills listed with descriptions, all 25 scripts,
     namespace 'cs', full ecosystem description

2. .codex/skills-index.json — added 18 complementary skills
   - Was: 10 roles only
   - Now: 28 total c-level entries (10 roles + 6 orchestration +
     6 cross-cutting + 6 culture)
   - Each with full description for skill discovery

3. .claude-plugin/marketplace.json — updated c-level-skills entry
   - Was: generic 2-skill description
   - Now: v2.0.0, full 28-skill ecosystem description,
     skills_count: 28, scripts_count: 25

* feat: add root SKILL.md for c-level-advisor ClawHub package

---------

Co-authored-by: Leo <leo@openclaw.ai>
2026-03-06 01:35:08 +01:00

16 KiB
Raw Blame History

Incident Response Reference (Executive Playbook)

This is the executive IR playbook — strategic decisions, communication, and leadership during incidents. For technical playbooks (containment procedures, forensics), see your SOC runbooks.

1. Incident Classification

Severity Levels

Severity Definition Examples Response Time Escalation
SEV-1 (Critical) Confirmed breach, data exfil, ransomware, production down Active ransomware, confirmed data theft, complete service outage Immediate (< 1 hour) CEO, board within 24 hrs
SEV-2 (High) Suspected breach, significant security event, extended outage Credential compromise suspected, DDoS, 4-hour+ outage < 4 hours CEO, legal within 48 hrs
SEV-3 (Medium) Security event with limited impact, short outage Phishing success (contained), brief outage, single system compromise < 24 hours CISO-owned, weekly rollup
SEV-4 (Low) Minor security event, near-miss Failed phishing attempt, minor policy violation < 72 hours Team-owned

Breach vs. Security Incident

Security incident: Unplanned event affecting security — may or may not involve data. Data breach: Confirmed unauthorized access to personal data — triggers regulatory notification obligations.

Critical distinction for response planning: A ransomware attack is an incident. If data was exfiltrated before encryption, it's also a breach. Assume breach until proven otherwise.

2. Executive IR Plan

Phase 1: Detection & Initial Assessment (02 hours for SEV-1)

Immediate actions (CISO):

  1. Receive alert from SOC/monitoring system or team member report
  2. Make initial severity classification — don't wait for perfect information
  3. Activate incident response team (IR lead, legal counsel, comms lead)
  4. Create incident war room (dedicated Slack channel, video bridge, shared document)
  5. Stop the clock — document exact time of discovery (regulatory timelines start here)
  6. Begin chain of custody documentation if forensics may be needed

Executive notification trigger (within 1 hour for SEV-1):

  • Notify CEO: incident status, initial severity, IR team activated
  • Put legal counsel on notice — don't wait to determine if breach occurred
  • If public company: notify General Counsel immediately (potential disclosure obligations)

What you do NOT do in Phase 1:

  • Do not notify customers yet (confirm scope first)
  • Do not delete or modify any logs or systems (evidence preservation)
  • Do not make public statements
  • Do not speculate about cause or scope

Phase 2: Containment & Assessment (224 hours for SEV-1)

Executive decisions required:

  • Scope authorization: Approve IR firm engagement (have a retainer in place)
  • System isolation: Authorize taking systems offline if needed (revenue vs. evidence tradeoff)
  • Evidence preservation: Authorize forensic image capture
  • Communication timing: When to notify customers/partners (legal drives this)

Board notification (for SEV-1/2):

  • Notify board chair / audit committee chair within 24 hours for SEV-1
  • Board notification format: what we know, what we don't know, what we're doing, next update time
  • Do not speculate on financial impact in board notification until known

Legal assessment (with counsel):

  • Determine if personal data was involved
  • Identify applicable notification laws (GDPR 72-hour, state breach notification, HIPAA 60-day)
  • Assess litigation risk (document with privilege from this point)
  • Evaluate cyber insurance policy coverage and notification requirements

Phase 3: Notification & Communication (2472 hours for SEV-1)

Notification decision matrix:

Audience Trigger Timeline Owner
Board SEV-1/2 confirmed < 24 hours CEO/CISO
Regulators (GDPR) Personal data breach confirmed < 72 hours from awareness Legal + CISO
Regulators (HIPAA) PHI breach confirmed < 60 days (early notice to HHS ASAP) Legal + CISO
State regulators (US) State breach notification laws vary 3090 days depending on state Legal
Enterprise customers Data confirmed in scope As soon as practical after legal review CEO/CRO
All customers Data potentially in scope After regulators notified CEO/Comms
Media Proactive or reactive After notifying affected parties CEO/Comms
Cyber insurer Incident confirmed Per policy terms (often 4872 hours) CFO/Legal

Phase 4: Recovery (Ongoing)

Executive decisions:

  • Approve recovery timeline and communicate to customers
  • Determine customer compensation or remediation (if applicable)
  • Authorize security improvements identified during incident
  • Decide on public disclosure beyond mandatory reporting

Phase 5: Post-Incident Review (Within 30 days)

Covered in Section 5 of this document.

3. Communication Templates

Board/Executive Notification (Initial — Hour 1)

Subject: [CONFIDENTIAL] Security Incident — Immediate Notification

We have identified a security incident as of [DATE/TIME].

Current status: [Brief factual description — what we know happened]

Severity assessment: SEV-[1/2/3]

What we do not yet know:

  • [List unknowns — scope of impact, whether data was accessed, root cause]

Actions taken so far:

  • IR team activated at [time]
  • Legal counsel notified
  • [Specific containment actions if applicable]

Next update: [Specific time, e.g., "in 4 hours or when we have material new information"]

Who is managing this: [CISO name] leads technical response; [CEO name] owns executive decisions. Contact: [CISO mobile]

Customer Notification (After Legal Review)

Subject: Important Security Notice — [Company Name]

We are writing to inform you of a security incident that may have affected your data.

What happened: On [DATE], we detected [brief, factual description of the incident — e.g., "unauthorized access to our systems"]. We identified this on [DISCOVERY DATE] and immediately launched an investigation.

What information was involved: Based on our investigation, the following types of information may have been accessed: [list data types — e.g., names, email addresses, [if applicable: payment card information]].

Your [specific data types] [were / were not] affected.

What we are doing: We have [list specific actions: engaged leading cybersecurity firm, notified relevant authorities, implemented additional security controls, etc.].

What you can do:

  • [Specific actionable steps for customers]
  • Monitor your accounts for unusual activity
  • [If passwords: reset your password at X]
  • [If payment data: contact your bank to monitor for unauthorized charges]
  • Contact our dedicated support line at [contact] with any concerns

For more information: We have set up a dedicated resource page at [URL]. Our support team is available at [contact].

We take the security of your data extremely seriously and deeply regret this incident occurred.

[CEO/CISO Name] [Title], [Company Name]

Regulator Notification — GDPR (72-hour requirement)

To: [Relevant Supervisory Authority — e.g., BfDI (Germany), CNIL (France), ICO (UK)] Subject: Personal Data Breach Notification — [Company Name] — [Reference Number if applicable]

1. Nature of the breach: [Description of what occurred, including how it happened]

2. Categories and approximate number of data subjects concerned: [e.g., "Approximately [X] customers whose [name, email, account data] may have been accessed"]

3. Categories and approximate number of personal data records concerned: [e.g., "Approximately [X] records containing [data categories]"]

4. Likely consequences of the breach: [Risk assessment: what harm could data subjects face?]

5. Measures taken or proposed: [Containment actions, remediation plan, customer notification plan]

6. Contact details of the Data Protection Officer or other contact point: [Name, role, email, phone]

Note: This is an initial notification; we will provide supplemental information as our investigation continues.

Media Statement (Reactive — When Contacted)

"[Company Name] is aware of a security incident that we identified on [date]. We immediately activated our incident response team and launched a comprehensive investigation. We have notified affected customers and relevant regulatory authorities as required. The security and privacy of our customers' data is our top priority, and we are committed to transparency as our investigation proceeds. We will provide updates at [URL]. We cannot provide additional details at this time to protect the integrity of our investigation."

What not to say to media:

  • Number of affected users (until confirmed and disclosed to customers first)
  • Cause of the incident (until investigation is complete)
  • Financial impact (speculation creates liability)
  • Anything that could be construed as minimizing the incident

4. Tabletop Exercise Design

Purpose

Test the decision-making and communication processes — not the technical response. The goal is to surface gaps in escalation, communication, and judgment before a real incident.

Recommended Frequency

  • Annual full tabletop (23 hours, full leadership team)
  • Semi-annual mini-tabletop (45 minutes, CISO + legal + CEO)
  • Quarterly technical team exercise (separate from executive tabletop)

Sample Tabletop Scenario: Ransomware

Setup (read to participants):

It's 6:47 AM on a Monday. Your DevOps engineer receives automated alerts that production databases are inaccessible. By 7:15 AM, they discover a ransomware note demanding $500,000 in Bitcoin. Several files are already encrypted. Your last verified backup was 48 hours ago. Your business is B2B SaaS serving 200 enterprise customers. You process customer financial data.

Discussion questions (timed, 10 minutes each):

  1. First 30 minutes — who do you call, in what order? Who decides whether to take production offline?
  2. Legal assessment — what regulatory obligations have been triggered? What's the timeline?
  3. Hour 4 — initial forensics suggests data may have been exfiltrated before encryption. How does your response change?
  4. Customer communication — how do you communicate with enterprise customers who are asking for status?
  5. Hour 24 — do you pay the ransom? Who makes this decision? What's the decision framework?
  6. The press has found out and a reporter is calling. What do you say?
  7. Day 5 — what's your board communication strategy?

Post-discussion captures:

  • What decisions were unclear (ownership ambiguous)?
  • What information did you need but didn't have?
  • What processes did not exist that should?
  • What would you do differently in the first hour?

Sample Tabletop Scenario: Insider Threat

Setup:

HR notifies you that an engineer was terminated this morning for performance reasons. 24 hours later, your SIEM generates an alert that this former employee's credentials accessed your customer database 30 minutes before their offboarding was complete. They downloaded 50,000 customer records. You don't know if they shared or sold the data.

Key decision points:

  • When does this become a breach vs. a security incident?
  • Do you notify customers? When?
  • What are your legal options against the former employee?
  • How do you handle this with the rest of the engineering team?

5. Post-Incident Review Framework

Timeline

Conduct within 30 days of incident resolution. Do not delay — memory fades and teams move on.

Blameless Post-Mortem Principles

The purpose is to improve systems and processes, not punish individuals. A blame culture means the next incident gets hidden longer.

Post-Incident Review Structure

1. Incident Timeline (factual, no editorializing)

  • Hour-by-hour reconstruction from detection to resolution
  • Source: logs, Slack messages, incident ticket, war room notes

2. Root Cause Analysis Use the "5 Whys" technique — keep asking why until you reach a systemic root cause, not a human error.

Example:

  • Why was there a breach? → Attacker compromised an admin account
  • Why was the admin account compromised? → Credentials stolen via phishing
  • Why did phishing succeed? → User wasn't trained on this attack type
  • Why wasn't training current? → Training program hadn't been updated in 18 months
  • Why hadn't it been updated? → No owner was assigned to maintain the training program
  • Root cause: No assigned ownership for security training maintenance

3. What Went Well

  • Detection mechanisms that worked
  • Response actions that contained damage
  • Communication that was effective
  • Teams that exceeded expectations

4. What Needs Improvement

  • Detection gaps (how could we have found this faster?)
  • Response gaps (what slowed us down?)
  • Communication gaps (who didn't know what, when?)
  • Process gaps (what didn't we have documented?)

5. Action Items (with owners and deadlines)

Action Owner Due Date Priority
[Specific improvement] [Name] [Date] [P0/P1/P2]

6. Metrics Review

  • MTTD (Mean Time to Detect): [actual] vs. [target]
  • MTTR (Mean Time to Respond): [actual] vs. [target]
  • Customer impact: [affected customers, duration]
  • Financial impact: [direct costs, revenue impact]
  • Regulatory impact: [notifications sent, fines if any]

6. Insurance and Legal Considerations

Cyber Insurance

What to have before an incident:

  • Cyber liability policy with minimum $2M coverage (Series A); $5M+ (Series B+)
  • Coverage should include: first-party loss, third-party liability, ransomware, business interruption, regulatory defense
  • Pre-approved IR firms on your policy (using an approved firm can expedite claims)
  • Notification requirements — know your insurer's required timeline (typically 4872 hours)

Policy exclusions to watch:

  • "War exclusion" — increasingly contested for nation-state attacks (NotPetya precedent)
  • "Systemic risk" — some policies exclude widespread events affecting many insureds simultaneously
  • "Prior acts" — incidents that began before policy inception
  • "Failure to maintain reasonable security" — don't give your insurer a reason to deny

Premium factors:

  • Revenue and data volume
  • Security control maturity (MFA, EDR, backup, patch management)
  • Industry (healthcare, financial services = higher premium)
  • Claims history

Ballpark premiums:

  • Seed/Series A ($110M ARR): $8,000$25,000/yr
  • Series B ($1050M ARR): $25,000$75,000/yr
  • Series C+ ($50M+ ARR): $75,000$250,000/yr

Legal Counsel

Have on retainer before an incident:

  • Cybersecurity/privacy attorney — breach notification, regulatory response
  • General counsel — contracts, employment law (insider threats), litigation
  • Consider: a law firm with data breach notification experience by jurisdiction

Attorney-client privilege: Once legal counsel is involved in an incident, communications and work product may be privileged. Engage counsel early to maximize privilege protection.

Key legal decisions during an incident:

  • When does notification obligation clock start? (Legal determines this)
  • Is this a breach or an incident? (Legal + CISO together)
  • Who are the affected data subjects? (Legal + technical together)
  • Do we pay the ransom? (Legal, CEO, board — never CISO alone)
  • Do we cooperate with law enforcement? (Legal decision, involves trade-offs)

Law Enforcement

FBI Internet Crime Complaint Center (IC3): File a complaint for ransomware or significant cybercrime. Does not obligate you to cooperate but creates a record.

Pros of law enforcement involvement:

  • Access to threat intelligence they may have
  • May recover funds in some cases (rare)
  • Demonstrates good-faith response to regulators

Cons of law enforcement involvement:

  • Loss of control over investigation timeline
  • Potential for public disclosure if case pursued
  • Slows ransom payment decisions (if considering)
  • May create discovery obligations in litigation

CISO recommendation: Notify legal before contacting law enforcement. In most cases, file an IC3 complaint but don't actively engage FBI investigation unless there's a clear benefit.

Reference in New Issue View Git Blame Copy Permalink