Security Incident Confidential Data Exposure workflow template

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read

    • The Security Incident - Confidential Data Exposure - Template allows you to perform a series of tasks designed to handle the exposure of sensitive data.

    Before you begin

    Role required: sn_si.write

    About this task

    The workflow is triggered when the Category in a security incident is set or changed to Confidential personal identity data exposure. This action causes a response task to be created for the first activity in the workflow.

    Figure 1. Confidential personal identity data exposure
    Confidential Data Exposure Template

    Procedure

    1. Open the security incident for which you want to handle the exposure to sensitive data, or create a new security incident.
    2. In Category, select Confidential personal identity data exposure.
    3. Save the record.
    4. Scroll down and open the Response Tasks related list.
      The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the flow to end.
      Table 1. Response tasks in Confidential Data Exposure Template
      Response task Description Results
      Is the data sensitive? Determine whether the data associated with this security incident is sensitive or confidential. In the task, select Yes or No in Outcome. If you selected Yes, the next response task is executed.

      If you selected No, the flow ends.
      Determine root cause and prevent egress Determine the root cause of the attack and add egress filtering to stop the exfiltration, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is executed.
      Eliminate exposure related to root cause Based on the root cause, perform the steps to eliminate the exposure, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is executed.
      Quarantine residual artifacts Perform the steps to quarantine any residual artifacts, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is executed.
      Legal process Perform the steps to satisfy the legal requirements of this analysis, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is executed.
      PR process Perform the steps to satisfy the PR requirements of this analysis, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is executed.
      Set state to review No action required. The State of the security incident is automatically changed to Review.
      Lessons learned meeting Conduct a lessons learned meeting to triage the work performed on this sensitive data, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the security incident remains in the Review state until you close it.