📜 Post with us on Reddit
📝 Create a new article
🏭 Create a company page
🇬🇧 - in English
🇫🇷 - en Français (FR)
🇵🇹 - em Português (PT)
🇩🇪 - in Deutsch (DE)
🇯🇵 - 日本語で (JA)
Sponsored articles

You can edit almost every page by Creating an account. Otherwise, see the FAQ.

Incident Response and Recovery

From EverybodyWiki Bios & Wiki


Incident Response is a set of steps which are performed at the aftermath or a post-security breach in an IT.

Why do we need Incident Response?[edit]

It is vital to be ready with a response plan before any security incident to limit the damage caused by such incidents hence reducing the recovery time.

To whom does this process apply to?[edit]

Although the Incident Response process has usually a company-wide scope, it can have departmental scope in some cases.

Steps involved in an Incident Response:[1][2][3][edit]

Preparation[edit]

Preparation in advance is very important when planning for a potential incident. When discussing in terms of a company, policies and procedures should be known and tested by the management or administration and by all the personnel of the department or the company to ensure that recovery and remediation may be followed as planned, resulting in the least amount of damage. In the phase of preparation, you should make sure you are well equipped with the necessary tools and also are well trained to handle such incidents even before they occur.

Detection[edit]

After any incident that has occurred, it is important to have a knowledge about the incident, its type, and the location of the incident. Although, with advanced technological assistance, many attacks will automatically be detected by detection systems, the end user has a critical role in identifying and reporting any incident in case they find it suspicious. For this reason, the end user should also be aware of the different types of attacks and data breaches and also learn to address such incidents. Such end users should look for any safety concerns to be considered. These concerns include the amount of the loss of data, violation of contracts or copyrights, size of damage to data. Once an incident is detected and confirmed, you need to either collect more data or analyse what you already have. If an attack is being handled live, you need to provide real-time data from the attack and rapidly provide a remediation to stop the attack.

Containment[edit]

In order to limit the impact of damage to data, this phase is to be undertaken with critical responsibility. The faster the user responds, the more likely and easier it will be to reduce the damage of the particular incident. It is therefore important to ensure the availability of all the necessary tools that will be used in this phase.[4][5]

Remediation[edit]

In this phase, all the issues that may have caused the incident are resolved and any malicious codes or malwares are removed. Forensic analysis should be completed and the logs acquired from the analysis should be kept throughout the phase of remediation. At the end of this phase, security lessons learned are documented on the basis of the acquired forensic analysis. Lessons which may include addressing security weaknesses, possible preventive methods that could’ve been used, the need to update security posture, etc.

Recovery[edit]

Recovery is a process that is done after Incident Response. It is the process that involves documented steps of recovering data post data breach or an attack.

A recovery plan may include recovery time goals, methods and strategies to recover lost or damaged data in the quickest possible time. It may also include description of resources, equipment and tools, and the staff that will be involved in the operations of recovery.[6]

Steps of the recovery planning process:[edit]

Forming a recovery team[edit]

It is important to form a special team comprising of security professionals who will be leading and performing all the steps involved in the process of recovery. In many companies, this team is also termed as Disaster Recovery (DR) team.

Performing risk assessment[edit]

The recovery team should perform risk assessments to identify potential risks in all the functional areas of the departments within a company. These potential risks should be analysed to determine potential consequences associated with such risks. At the end of the risk assessment, the team should be fully aware of the impacts and consequences of any data breach by considering even the worst-case scenarios.

Determining recovery strategies[edit]

In this step, all the practical steps that are to be involved in the process of recovery are identified and evaluated. The recovery strategies should be formulated to cover all aspects of the organization. These aspects may include hardware, software, database, customer service, end-user system, etc. At times, there could be some written agreements with third-parties that provide recovery alternatives in times of data breaches or attacks. All such agreements need to be reviewed. By the end of this step, the recovery team should have a solution to all aspects that may be affected by a data breach or an attack.

Creating a recovery plan[edit]

All the above-mentioned steps, if performed correctly, will provide the recovery team enough information to make a sound recovery plan that is both comprehensive and practically applicable. The steps involved in this plan should be fully explained in an understandable manner. It should have a written set of steps that all the recovery team and other users need to do when there's a data breach.

Testing the recovery plan[edit]

The recovery plan should be tested for its applicability and reliability in order to identify any challenges or errors that it may contain. Testing will also offer a good understanding of all the steps involved in the recovery plan to all the working personnel and the recovery team as well. The obligation and the accountability of the recovery plan will rely on its proven to be practical and effective results.

References[edit]

  1. LisaEyo (2015-04-24). "6 Steps of Incident Response". AIS Network. Retrieved 2020-02-06.
  2. "Incident Response Process - an overview | ScienceDirect Topics". www.sciencedirect.com. Retrieved 2020-02-06.
  3. "6 Phases in the Incident Response Plan". SecurityMetrics. Retrieved 2020-02-11.
  4. Nichols, Crystal (2019-05-30). "5 Key Considerations for Incident Response Tools". Cybriant. Retrieved 2020-02-11.
  5. "The 7 Best Free and Open-Source Incident Response Tools". Cynet. 2019-10-24. Retrieved 2020-02-11.
  6. dcomisso (2017-03-31). "IT incident response and recovery". nibusinessinfo.co.uk. Retrieved 2020-02-06.


This article "Incident Response and Recovery" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Incident Response and Recovery. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.


Retrieved from "https://en.everybodywiki.com/index.php?title=Incident_Response_and_Recovery&oldid=928081"
License CC BY-SA 3.0
Powered by MediaWiki
Powered by Semantic MediaWiki