Incident Response

Learn when to classify events as incidents and how to proceed, including having an incident response plan to prepare for incidents.

Overview

Compared to alerts and events, security incidents are thankfully rare. An organization will experience many different types of security events of varying severity daily. On the rare occasion that an event is severe enough to be classified as an incident, an incident response plan (IRP) should be used. Criteria should be defined in advance to determine whether the event should be treated as an incident.

Creation of an IRP

How an organization defines security incidents versus events should be determined well before an IRP is used.

  • The definition of what constitutes an incident should be clear and based on quantifiable and objective criteria.

  • Once they’re defined, the next step is to create the corresponding incident response plans.

  • After the plans have been created, they need to be made readily available to those executing them.

  • Following the rule of least privilege, the confidentiality of the plan should also be enforced so that access to the IRPs is restricted to only authorized individuals.

Review IRPs regularly

Once created, the IRPs should be reviewed regularly. The best method for identifying flaws or improvement opportunities with an IRP is to review and exercise the plan. A review may conclude that a plan is no longer relevant or necessary, at which point it can be retired and removed from the IRP repository.

The following section discusses creating and maintaining an ...