Security team on-call rotation
named coverage, structured handover, and an audit-defensible operating record

Critical or high-severity findings created from scanner intake (external scanning across the sixteen modules, authenticated scanning behind verified domains, code scanning Semgrep SAST and dependency analysis), bulk finding import (Nessus, Burp Suite, CSV from third-party scanners), or manual finding entry during the shift window. The on-call primary reads the cohort, acknowledges the routing on the workspace finding record, and either accepts the routing or escalates.

A new CISA KEV catalogue addition that the workspace continuous monitoring matches against the in-scope asset estate (verified domains, connected repositories, fingerprinted technology stack, declared dependencies). The on-call primary opens an emergency response engagement, reads the in-shift exposure assessment, and routes to the named asset owner or escalates if the named owner is not available in the shift window.

An in_progress finding whose target remediation date falls within the next operating cycle and whose named owner has not produced a fix update inside the shift window. The on-call primary reads the breach-imminent cohort, contacts the named owner, accepts a documented date shift with rationale, or escalates to the named accountable owner so the breach is decided rather than discovered overnight.

A vulnerability disclosure programme submission, a bug bounty platform handoff, or a customer escalation that opens a PSIRT case during the shift. The on-call primary reads the report, opens the structured PSIRT case on the workspace, acknowledges the reporter through the case record, and routes to the named PSIRT analyst for triage.

A security advisory from an upstream supplier (open source maintainer, vendor library, cloud provider, OEM) that requires the company to issue its own advisory to downstream consumers. The on-call primary reads the upstream advisory reference, opens the cascade case on the workspace, and routes the in-shift exposure assessment to the named product security owner.

A continuous monitoring scan that re-detects a previously verified-closed finding (regression), a finding pattern across a previously suppressed false-positive cohort (suppression failure), or a fresh open finding against an asset that completed an attestation cycle (attestation regression). The on-call primary reads the regression source and routes restoration to the original-severity workflow.

A trigger event covered by the emergency vulnerability response workflow: a published exploit kit, a confirmed in-the-wild exploitation report, a regulator advisory naming the company sector, a customer-facing dependency advisory. The on-call primary reads the trigger event, opens the emergency response engagement, and routes the named on-call lead for exposure assessment.

The shift roster sits in a shared calendar or a wiki page; the workspace has no record of who held the shift when the critical finding landed. The next audit asks for the named operator who acknowledged the SLA-breach-imminent alert at the timestamp on the activity log; the answer is "let me find the calendar from that week". The fix is the rotation roster being a document on the engagement record with named operators per shift window and the workspace activity log capturing the named acknowledger at the moment of every event.

The outgoing shift hands over in a five-minute call; the incoming shift starts the cycle without context on the open events, the in-flight escalations, the breach-imminent cohort still in motion, or the renewals expiring in the next window. The fix is the handover being a structured record on the engagement: open-event count and named owners, in-flight escalations with named authority, breach-imminent cohort with target dates, expiring exceptions with renewal candidates, and the running notes the activity log carries from the prior shift.

Both the primary and the secondary read every notification. Both pick up the easy events first, both ignore the harder ones, and the rotation collapses into a queue with two operators instead of a rotation with a primary and a backup. The fix is the role separation living in the workspace notification routing and the team management RBAC: the primary acknowledges, the secondary watches for missed-target events, and the activity log records who held each role at each event.

The shift policy says "escalate critical events" but does not name the operator who receives the escalation, the channel the escalation rides on, or the acknowledgement target. When the primary cannot resolve and the secondary is unreachable, the event ages in the queue because the third tier was never named. The fix is the escalation authority being a named role on the rotation policy, the activity log carrying the page-out event, and the workspace finding record stamping the named authority on the disposition.

An operator covers for another mid-shift; the swap happens in a direct message; the published roster still shows the original operator. Six weeks later the audit asks for the named acknowledger at the timestamp on the activity log; the activity log shows operator A but the chat history shows operator B was on call. The fix is the cover and swap policy writing the change onto the document-management copy of the roster with the named substitute, the named approver of the swap, and the activity log capturing the substitution against the affected shift window.

The rotation runs week after week without a structured retrospective. Acknowledgement adherence drifts, swap volume climbs, the same two operators carry every weekend, and the rotation produces resignations rather than security outcomes. The fix is the rotation lead running a documented retrospective each cycle that reads the rotation health metrics from the workspace activity log (acknowledgement adherence, handover completeness, swap volume, escalation rate per shift, alert volume per shift) and tuning the cadence against the signal before it produces burnout.

A DORA, NIS2, GDPR, PCI DSS, HIPAA, or SEC notification clock starts the moment the on-call rotation acknowledges a confirmed event with notification scope. The shift policy treats notification as "we will handle it Monday"; the regulator clock does not pause for the weekend; the programme misses the obligation window. The fix is the GRC partner on call (or a documented escalation to the GRC lead) reading any in-shift event that may trip a notification clock at the moment of acknowledgement, with the clock-start timestamp captured on the workspace activity log so the audit-evidence pack reconstructs the timing from the live record.

The outgoing shift writes a structured summary on the engagement record at shift close: event count handled, severity mix, named owners contacted, accept-work dispositions routed, escalations triggered, exceptions accepted with named expiry, breach-imminent cohort status, and a free-text note for anything the next shift needs to read first. The summary is a document the next shift opens to before the workspace queue.

Every event the outgoing shift acknowledged but did not close lands on the handover record with the named follow-up operator (incoming primary, named asset owner, named PSIRT analyst, named engineering remediation contact). The next shift opens the cohort as the first cohort it reads against, not as a surprise that surfaces later in the shift.

Any escalation the outgoing shift triggered carries forward with the named escalation authority, the pending decision class, the target acknowledgement window for the authority, and the workspace finding or engagement reference. The incoming shift reads the escalation cohort as a watch list and is not surprised by an authority page-out in the middle of the new shift.

The breach-imminent cohort that the outgoing shift identified or carried forward lands on the handover with the named owners, the target dates, the latest update each owner produced, and the rationale on any documented date shift. The incoming shift opens the cohort as a working list and either confirms the dates hold or escalates against the same authority chain the outgoing shift would have.

Active overrides whose review or expiry date falls in the incoming shift window land on the handover with the named approver, the renewal candidate evidence, and the framework citation grid. The incoming shift either holds the renewal in the disposition meeting agenda or escalates to the named approver if the policy requires.

The outgoing shift records the qualitative signals the activity log alone cannot capture: was the shift volume sustainable, did the rotation lose sleep on a non-actionable page, was a swap or cover negotiated mid-shift, did the rotation feel like an operating discipline or a queue. The signal feeds the rotation lead retrospective so the cadence tunes against burnout before it produces resignation.