Incident Response (IR)
A cybersecurity incident is an event that interrupts standard operations or compromises security policy.
- occurs when security is breached or there is an attempted breach
- NIST defines as “the act of violating an explicit or implied security policy.”
Incident response (IR) is the ability to react or respond to incidents.
- direct at items that are most likely to cause the organization pain
- should be identified as part of risk management efforts
Incident Response Plan (IRP)
Incident response plan (IRP) sets the resources, processes, and guidelines for dealing with cybersecurity incidents.
- Specific procedures that must be performed if a certain type of event is detected or reported
- aka incident response policy
- regularly reviewed, tested, and practiced by those expected to enact them
- used to recognize, respond, and recover from an incident
- Any effort to prepare for and respond to security incidents is considered incident response planning
- Formal planning activities:
- threat modeling
- risk analysis
- policy and process development
- test
- simulations
- includes:
- creating guidelines for responding to certain types of incidents
- identifying the resources needed for each response
- and establishing protocols for how the different personnel and groups will work together to mitigate incidents
Incident Response Process
Elements of Incident Response in Policies and Procedures
- Incident identification
- Incident classification
- Incident mitigation
- Incident documentation
Info
The IR process is focused on cybersecurity incidents.
There are also major incidents that pose an existential threat to company-wide operations.
- These major incidents are handled by disaster recovery processes
- A cybersecurity incident might lead to a major incident being declared, however