5.4 Follow incident response procedures

Question 1

Incident response plan

Answer 1

• Identify and prioritize all incidents that pose risk without overloading the security team.
• Re-establish a secure working system.
• Preserve evidence of the incident with the aim of prosecuting the perpetrators.
• Prevent reoccurrence of the incident.

Question 2

Documented incident types/category definitions

Answer 2

• Data Integrity
• Downtime
• Economic/publicity
• Scope
• Detection time
• Recovery time

Question 3

Roles and responsibilities

Answer 3

Some organizations will provide a dedicated cyber incident response team (CIRT) or computer security incident response team (CSIRT) as a single point-of-contact for the notification of security incidents.

Question 4

Reporting requirements/escalation

Answer 4

The process by which more senior staff become involved in the management of an incident

Question 5

Cyber incident response teams

Answer 5

(cyber incident response team) A group that handles events involving computer security breaches.

Question 6

Preparation

Answer 6

Making the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and establishing confidential lines of communication. It also implies creating a formal incident response plan.

Question 7

Identification

Answer 7

Determining whether an incident has taken place and assessing how severe it might be, followed by notification of the incident to stakeholders.

Question 8

Containment

Answer 8

Limiting the scope and impact of the incident. The typical response is to “pull the plug” on the affected system, but this is not always appropriate.

Question 9

Eradication

Answer 9

Removing an incident from the system.

Question 10

Lessons learned

Answer 10

Analyzing the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident.