Lost / Stolen Device Playbook

This manual playbook handles an incident for a lost or stolen device. It guides the analyst through various steps to validate the type of device and its contents, and the required steps for response and remediation. Initial incident details should be the name of the reporting person or ID of the SIEM alert/incident, and description of the lost device.

Lost / Stolen Device · 55 tasks · 0 inputs · 0 outputs

Flowchart

no yes no yes yes yes yes yes no yes no yes no yes no yes start_task start_task Triage Triage Notify and involve appropriate personnel Notify and involve approp... Was the incident reported by a person? Was the incident reported... Display full details for the alert Display full details for ... Was this person the owner of the device? Was this person the owner... Interview reporter of the incident and document their full account Interview reporter of the... Retrieve equipment information for the device from ERP software Retrieve equipment inform... Retrieve device profile from IT asset management software Retrieve device profile f... Retrieve employee information of the device's owner from HR software Retrieve employee informa... Interview owner of device and document full account of the incident Interview owner of device... Report theft of device to authorities (including serial numbers) Report theft of device to... Assess severity by reviewing device details and contents of latest backup Assess severity by review... Respond Respond Does the device support remote lockdown? Does the device support r... Activate remote lockdown on the device Activate remote lockdown ... Is the device a mobile phone? Is the device a mobile ph... Contact the mobile service provider to report the device as stolen Contact the mobile servic... Request that the mobile service provider lock the SIM card Request that the mobile s... Remove the phone number from any 2-factor authentication profiles Remove the phone number f... Cancel any credit cards stored on the device Cancel any credit cards s... Change password to any financial or bank account stored on the device Change password to any fi... Disable compromised AD user account(s) Disable compromised AD us... Revoke VPN credentials Revoke VPN credentials Revoke DLP keys/credentials so documents on the device cannot be decrypted Revoke DLP keys/credentia... Change account passwords for any cloud-based solutions used by the organization Change account passwords ... Instruct owner to change passwords for any personal accounts Instruct owner to change ... Lock / Rotate any other compromised accounts, keys and credentials Lock / Rotate any other c... Was the device managed by an MDM solution? Was the device managed by... Mark the device as stolen in MDM Mark the device as stolen... Did the device have tracking software installed? Did the device have track... Remotely activate tracking software on the device Remotely activate trackin... Periodically check if tracking software became active and sent results Periodically check if tra... Does the device support remote wiping? Does the device support r... Did the device contain any unique critical business data? Did the device contain an... Remotely wipe the device Remotely wipe the device Was the device encrypted and turned off at the time of theft? Was the device encrypted ... Remotely wipe the device Remotely wipe the device Escalate the decision to management Escalate the decision to ... Did management decide to wipe the device? Did management decide to ... Document the decision including written authorization to not wipe Document the decision inc... Remotely wipe the device Remotely wipe the device Remove the stolen device from the organization's domain(s) Remove the stolen device ... Remove the device's MAC address from any allow lists Remove the device's MAC a... Blacklist the stolen device in WiFi and NAC Blacklist the stolen devi... Insert device's MAC address to network security watchlists Insert device's MAC addre... Is the organization using an enterprise WiFi solution with individual auth? Is the organization using... Send a memo to users of the affected WiFi network(s) with new password Send a memo to users of t... Change the WiFi passwords for all networks accessible from the compromised device Change the WiFi passwords... Revoke WiFi credentials Revoke WiFi credentials Final steps Final steps Check with owner if they were using a common password shared with other users Check with owner if they ... Open a ticket for procurement to mark the device as stolen in ERP software Open a ticket for procure... Open a ticket for new device to be supplied and provisioned by IT Open a ticket for new dev... Issue report to CISO by email Issue report to CISO by e...