Overview of the incident response process

Planning and preparing for an information security incident can be challenging for many units inside the University. When an information security incident occurs, a Unit is required to take immediate action to mitigate threats to the Confidentiality, Integrity, and Availability of its information assets. The effort requires the effective deployment of resources and established communication strategies.

The Incident Response team will typically follow six high-level steps:

  • Preparation — Includes documentation, testing, training and other preparatory activities.
  • Identification — Includes the confirmation that an incident has occurred and the initial severity level. It identifies what data, devices, or systems were damaged, accessed, or exposed as part of the breach. Additionally, it includes the collection of logs, system images, and other artifacts. Activation of the CSIRT happens at this time if required.
  • Containment — Initial short-term containment of the incident will typically entail the disconnection of affected services, devices or networks to limit additional damage or malicious activity.
  • Eradication— Identify the root cause of the incident. Remove malware, malicious code and vulnerabilities from all affected systems using the identification step’s collected information.
  • Recovery — Return systems carefully back to production status, ensuring mitigation of the root cause occurs first.
  • Lessons learned — Review the root cause of the incident and identify opportunities to improve detection and defences to lessen a reoccurrence chance. Also, review the process of dealing with the incident and determine any improvements there as well.
6 steps in the Incident response process: preparation, identification, containment, eradication, recovery and lessons learned.

The incident response process.