Which phase of the incident response process happens immediately following identification?

June 18, 2020 by

The Phases

1. Preparation

Among the most important of all the steps in an incident response plan is the preparation stage. During the preparation phase, organizations should establish policies and procedures for incident response management and enable efficient communication methods both before and after the incident.

Employees should be properly trained to address security incidents and their respective roles. It is important for companies to develop incident response drill scenarios that are practiced on a regular basis and modified as needed based on changes in the environment. All aspects of an incident response plan, including training, software and hardware resources and execution, should be fully approved and funded before an incident occurs.

2. Identification

The identification phase of an incident response plan involves determining whether or not an organization has been breached. It is not always clear at first whether a breach or other security incident has occurred. In addition, breaches can originate from a wide range of sources, so it is important to gather details. When determining whether a security incident has occurred, organizations should look at when the event happened, how it was discovered and who discovered the breach. Companies should also consider how the incident will impact operations, if other areas have been impacted and the scope of the compromise.

3. Containment

4. Neutralization

Neutralization is one of the most crucial phases of the incident response process and requires the intelligence gathered throughout the previous stages. Once all systems and devices that have been impacted by the breach have been identified, an organization should perform a coordinated shutdown.

To ensure that all employees are aware of the shutdown, employers should send out notifications to all other IT team members. Next, the infected systems and devices should be wiped clean and rebuilt. Passwords on all accounts should also be changed. If a business discovers that there are domains or IP addresses that have been affected, it is essential to block all communication that could pose a risk.

5. Recovery

The recovery phase of an incident response plan involves restoring all affected systems and devices to allow for normal operations to continue. However, before getting systems back up and running, it is vital to ensure that the cause of the breach has been identified to prevent another breach from occurring again. During this phase, consider how long it will take to return systems to normal, whether systems have been patched and tested, whether a system can be safely restored using a backup and how long the system will need to be monitored.

6. Review

Contact the Risk Management Consulting Experts at Hartman Executives

As security breaches and system hacks become more common due to advancements in technology, organizations must go the extra mile to protect their systems and devices. An incident response plan is an effective way to swiftly address security problems and gain knowledge that can be used to prevent repeat security problems. Organizations should also reach out to a risk management consultant to learn the best ways to protect and restore their business. The risk management consulting experts at Hartman Executive Advisors have extensive experience working with clients to assess their unique cybersecurity risks, as well as planning and implementing solutions to address these security issues.