Incident Response Phases: Detection And Analysis

1134 Words5 Pages

Incident Response Phases Introduction Incident response refers to an organization’s capability to react to a breach or attack of their system or the information contained within. This capability is an important component of security administration that should not go overlooked. By developing a formal response plan an organization can methodically and effectively approach incidents that occur to help minimize the harm such events inflict (Cichonski, Millar, Grance, & Scarfone, 2012). The objective of this paper is to elucidate the phases of a typical incident response plan, which includes the four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-incident Activity. Examining these phases will …show more content…

These risks should be examined within the confines of the business needs, mission statement, and legal obligations. Classification of potential risks allows the organization to prioritize efforts in a granular manner to close security gaps based on cost, effectiveness, and potential loss of business as well as the sensitive information they manage. This should also include security efforts that conform to business requirements, laws, regulations, and follow the organization’s mission statement. It should identify the policy scope, definitions, roles, procedures, team members, points of external contact, organizational groups, services offered, contact lists, tools, applications, system diagrams, custody chains, organizational dependencies, and performance metrics as well as reporting, contact, and evidence documentation …show more content…

Containment refers to the methodology set forth by the incident response plan to aid team members in mitigating damage. The response to the event will vary based on the incident itself. The appropriate strategies for containment should be determined based on potential damage, need for preservation, system availability, time of implementation, effectiveness, and duration of the solution (Cichonski, Millar, Grance, & Scarfone, 2012). The containment solution may require blocking of affected accounts, removal of malware, sandboxing, or limiting, attack efforts. However, containment may not be enough. In some cases complete erase of the affected system and restore from back-up sources may be required to eradicate the effect of the

More about Incident Response Phases: Detection And Analysis