Goal templates — Incident Response — P2
Security · Incident Response · P2 — Developing Professional
These are canon-derived frames, not advice: every line is either verbatim JobFrame canon text or a fixed template wrapping it. ⟨target⟩ / ⟨baseline⟩ / ⟨date⟩ are placeholders for the manager to fill in. Nothing here is generated by AI — rows are omitted, never invented, when the canon lacks the underlying field.
SMART goals
One row per canon core output / responsibility this level owns.
JFM responsibility (P2)
Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types.
- Specific
- Deliver: "Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types."
- Measurable
- Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
- Achievable
- Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
- Relevant
- Advances the Security · Incident Response mandate for a P2 — Developing Professional.
- Time-bound
- ⟨date⟩
JFM responsibility (P2)
Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events).
- Specific
- Deliver: "Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events)."
- Measurable
- Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
- Achievable
- Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
- Relevant
- Advances the Security · Incident Response mandate for a P2 — Developing Professional.
- Time-bound
- ⟨date⟩
JFM responsibility (P2)
Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes.
- Specific
- Deliver: "Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes."
- Measurable
- Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
- Achievable
- Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
- Relevant
- Advances the Security · Incident Response mandate for a P2 — Developing Professional.
- Time-bound
- ⟨date⟩
JFM responsibility (P2)
Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context.
- Specific
- Deliver: "Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context."
- Measurable
- Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
- Achievable
- Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
- Relevant
- Advances the Security · Incident Response mandate for a P2 — Developing Professional.
- Time-bound
- ⟨date⟩
JFM responsibility (P2)
Produces triage notes and investigation summaries to support escalations to senior responders.
- Specific
- Deliver: "Produces triage notes and investigation summaries to support escalations to senior responders."
- Measurable
- Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
- Achievable
- Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
- Relevant
- Advances the Security · Incident Response mandate for a P2 — Developing Professional.
- Time-bound
- ⟨date⟩
Copy / print as textshow ▾hide ▴
1. Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types. [source: JFM responsibility (P2)] Specific: Deliver: "Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types." Measurable: Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩. Achievable: Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts." Relevant: Advances the Security · Incident Response mandate for a P2 — Developing Professional. Time-bound: ⟨date⟩ 2. Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events). [source: JFM responsibility (P2)] Specific: Deliver: "Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events)." Measurable: Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩. Achievable: Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts." Relevant: Advances the Security · Incident Response mandate for a P2 — Developing Professional. Time-bound: ⟨date⟩ 3. Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes. [source: JFM responsibility (P2)] Specific: Deliver: "Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes." Measurable: Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩. Achievable: Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts." Relevant: Advances the Security · Incident Response mandate for a P2 — Developing Professional. Time-bound: ⟨date⟩ 4. Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context. [source: JFM responsibility (P2)] Specific: Deliver: "Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context." Measurable: Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩. Achievable: Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts." Relevant: Advances the Security · Incident Response mandate for a P2 — Developing Professional. Time-bound: ⟨date⟩ 5. Produces triage notes and investigation summaries to support escalations to senior responders. [source: JFM responsibility (P2)] Specific: Deliver: "Produces triage notes and investigation summaries to support escalations to senior responders." Measurable: Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩. Achievable: Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts." Relevant: Advances the Security · Incident Response mandate for a P2 — Developing Professional. Time-bound: ⟨date⟩
OKRs
Objectives from this level's core outputs; key results only where a real dimension or capability backs them.
JFM responsibility (P2)
Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types.
- From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types."
- Evidence at this level's scope bar: "Defined deliverables / small features" — ⟨target⟩ by ⟨date⟩
JFM responsibility (P2)
Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events).
- From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events)."
- Evidence at this level's autonomy bar: "General supervision; reviewed at milestones" — ⟨target⟩ by ⟨date⟩
JFM responsibility (P2)
Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes.
- From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes."
- Evidence at this level's complexity bar: "Some non-routine problems; applies established patterns" — ⟨target⟩ by ⟨date⟩
JFM responsibility (P2)
Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context.
- From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context."
- Evidence at this level's impact bar: "Own and immediate-team deliverables" — ⟨target⟩ by ⟨date⟩
JFM responsibility (P2)
Produces triage notes and investigation summaries to support escalations to senior responders.
- From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Produces triage notes and investigation summaries to support escalations to senior responders."
- Evidence at this level's decision rights bar: "Routine technical choices within guidance" — ⟨target⟩ by ⟨date⟩
Copy / print as textshow ▾hide ▴
Objective 1: Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types. [source: JFM responsibility (P2)] KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types." KR2. Evidence at this level's scope bar: "Defined deliverables / small features" — ⟨target⟩ by ⟨date⟩ Objective 2: Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events). [source: JFM responsibility (P2)] KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events)." KR2. Evidence at this level's autonomy bar: "General supervision; reviewed at milestones" — ⟨target⟩ by ⟨date⟩ Objective 3: Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes. [source: JFM responsibility (P2)] KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes." KR2. Evidence at this level's complexity bar: "Some non-routine problems; applies established patterns" — ⟨target⟩ by ⟨date⟩ Objective 4: Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context. [source: JFM responsibility (P2)] KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context." KR2. Evidence at this level's impact bar: "Own and immediate-team deliverables" — ⟨target⟩ by ⟨date⟩ Objective 5: Produces triage notes and investigation summaries to support escalations to senior responders. [source: JFM responsibility (P2)] KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Produces triage notes and investigation summaries to support escalations to senior responders." KR2. Evidence at this level's decision rights bar: "Routine technical choices within guidance" — ⟨target⟩ by ⟨date⟩
MBO areas
Key result areas from this level's responsibilities, each with a standard grounded in the canon leveling rubric where one exists.
| Area | Standard | Target | Due |
|---|---|---|---|
| Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types. | Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals." | ⟨target⟩ | ⟨date⟩ |
| Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events). | Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals." | ⟨target⟩ | ⟨date⟩ |
| Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes. | Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals." | ⟨target⟩ | ⟨date⟩ |
| Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context. | Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals." | ⟨target⟩ | ⟨date⟩ |
| Produces triage notes and investigation summaries to support escalations to senior responders. | Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals." | ⟨target⟩ | ⟨date⟩ |
Copy / print as textshow ▾hide ▴
1. Area: Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types. [source: JFM responsibility (P2) — reused, no distinct responsibility content] Standard: Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals." Target: ⟨target⟩ Due: ⟨date⟩ 2. Area: Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events). [source: JFM responsibility (P2) — reused, no distinct responsibility content] Standard: Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals." Target: ⟨target⟩ Due: ⟨date⟩ 3. Area: Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes. [source: JFM responsibility (P2) — reused, no distinct responsibility content] Standard: Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals." Target: ⟨target⟩ Due: ⟨date⟩ 4. Area: Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context. [source: JFM responsibility (P2) — reused, no distinct responsibility content] Standard: Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals." Target: ⟨target⟩ Due: ⟨date⟩ 5. Area: Produces triage notes and investigation summaries to support escalations to senior responders. [source: JFM responsibility (P2) — reused, no distinct responsibility content] Standard: Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals." Target: ⟨target⟩ Due: ⟨date⟩
Scorecard
Only perspectives with real canon backing are shown — no Financial or Customer perspective, since nothing in the canon grounds business-financial or customer measures for a role alone.
Internal process
- "Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types."→ ⟨target⟩ by ⟨date⟩
- "Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events)."→ ⟨target⟩ by ⟨date⟩
- "Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes."→ ⟨target⟩ by ⟨date⟩
- "Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context."→ ⟨target⟩ by ⟨date⟩
- "Produces triage notes and investigation summaries to support escalations to senior responders."→ ⟨target⟩ by ⟨date⟩
Role calibration
- Meets the scope bar: "Defined deliverables / small features"→ ⟨target⟩ by ⟨date⟩
- Meets the autonomy bar: "General supervision; reviewed at milestones"→ ⟨target⟩ by ⟨date⟩
- Meets the complexity bar: "Some non-routine problems; applies established patterns"→ ⟨target⟩ by ⟨date⟩
- Meets the impact bar: "Own and immediate-team deliverables"→ ⟨target⟩ by ⟨date⟩
- Meets the decision rights bar: "Routine technical choices within guidance"→ ⟨target⟩ by ⟨date⟩
- Meets the leadership bar: "May guide interns"→ ⟨target⟩ by ⟨date⟩
Copy / print as textshow ▾hide ▴
Internal process - "Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types." → ⟨target⟩ by ⟨date⟩ [source: JFM responsibility (P2)] - "Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events)." → ⟨target⟩ by ⟨date⟩ [source: JFM responsibility (P2)] - "Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes." → ⟨target⟩ by ⟨date⟩ [source: JFM responsibility (P2)] - "Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context." → ⟨target⟩ by ⟨date⟩ [source: JFM responsibility (P2)] - "Produces triage notes and investigation summaries to support escalations to senior responders." → ⟨target⟩ by ⟨date⟩ [source: JFM responsibility (P2)] Role calibration - Meets the scope bar: "Defined deliverables / small features" → ⟨target⟩ by ⟨date⟩ [source: level dimension (Scope)] - Meets the autonomy bar: "General supervision; reviewed at milestones" → ⟨target⟩ by ⟨date⟩ [source: level dimension (Autonomy)] - Meets the complexity bar: "Some non-routine problems; applies established patterns" → ⟨target⟩ by ⟨date⟩ [source: level dimension (Complexity)] - Meets the impact bar: "Own and immediate-team deliverables" → ⟨target⟩ by ⟨date⟩ [source: level dimension (Impact)] - Meets the decision rights bar: "Routine technical choices within guidance" → ⟨target⟩ by ⟨date⟩ [source: level dimension (Decision rights)] - Meets the leadership bar: "May guide interns" → ⟨target⟩ by ⟨date⟩ [source: level dimension (Leadership)]