Incident Response (IR)

Proper response to different types of incidents is critical for limiting damages and quick recovery back to normal operations.

In this area, incidents are limited to of all sorts of threats to information assets. Specifically:

• Attacks against information assets.
• With realistic chance of success.
• That could threaten confidentiality, integrity, or availability (CIA) of information resources.

Four phases:

1. Planning
• format and contents of IR plan
• storage - where should be stored
• testing - any plan of this nature MUST be tested.
2. Detection
• define what stipulates an incident that should trigger activities in the IR plan.
• incident classification, incident candidates, incident indicators
3. Reaction
• the actions outlined in the plan, what do to do; for instance
• notifications pf key personnel
  • alert roster - sequential, hierarchical
  • alert message
• documentation of incident
• containment strategies
4. Recovery
   • prioritization of efforts
   • damage assessment
   • computer forensics, digital forensics
   • recovery
   • after-action review (AAR)

R101442.1.C5.215