Create a control for incident response procedures #364
Description
In the discussion of #302 in this week's meeting, we agreed it was worth entertaining a proposal for a control to cover:
Incident Response - We talk about having a security policy (OSPS-VM-01, OSPS-VM-02) but don't talk about what to do/prepare for incidents? What happens if your keys get compromised? What do you do if someone breaks into your CI? We could add some instructions for folks to have prepared for the day when things go bad.
@david-a-wheeler specifically noted that he would like to see an example of an acceptable policy at the time a control is proposed.