iso27diy-corp/Corpus/Sparks/Information Security/Incident Response Planning.md

SANS Incident Response Plan

Checklist for auditing Incident Response Plan

See also:

• Ransomware Playbook
• a-5.30-ICT-readiness-for-business-continuity
• BCP_Bedrijfscontinuïteitsplanning

ISO 27002 5.24 Planning and preparation PE/ OT

CISSP Incident Response Steps¹:

• Detection
  • monitoring, alerts
• Response
  • decide if it is a security incident
  • alert the CSIR Team
• Mitigation
  • contain the incident, limit effect or scope
• Reporting
• Recovery
  • return to fully functioning state
• Remediation
  • root cause analysis
• Lessons Learned
  • ISO 27002 5.27 PE / OT
  • prevent from re-occurring
  • improve incident response

ChatGPT identifies the following steps:

in information security incident response, what other actions are there, then mitigation and remediation

In information security incident response, there are several key actions in addition to mitigation and remediation. These typically align with the stages of an incident response process. Here's an overview:

1. Preparation: This involves establishing and training an incident response team, developing and updating an incident response plan, and ensuring tools and resources are available for effective incident management.

2. Identification: This stage focuses on detecting and identifying security incidents through monitoring, alerts, and reports. It involves confirming whether a security breach or event has occurred.

3. Containment: Once an incident is identified, immediate containment efforts are taken to limit damage, prevent further intrusion, and isolate affected systems. This can be broken down into short-term containment (immediate response) and long-term containment (applying temporary fixes).

4. Eradication: This involves removing the root cause of the incident, such as eliminating malware from all affected systems, closing vulnerabilities that were exploited, and ensuring that the threat is completely neutralized.

5. Recovery: During this phase, affected systems are restored and returned to normal operations. It includes validating systems to ensure they are operational and secure, implementing additional monitoring, and verifying that vulnerabilities are resolved.

6. Improvement: Also known as lessons learned, this step involves reviewing and analyzing the incident and the response. The objective is to learn from the event, improve future incident response, and update policies and procedures.

7. Communication: Throughout the incident response process, consistent communication is crucial. This includes informing relevant stakeholders, providing updates, reporting to compliance bodies if necessary, and managing public relations if the incident affects external parties.

8. Post-Incident Review: A detailed review is conducted after the incident is resolved to evaluate what happened, what was done well, what could be improved, and how to prevent similar incidents in the future.

These actions combined create a comprehensive approach to effectively manage and respond to security incidents in an organized manner.

---

1. CISSP Chapter 17, Preventing and Responding to Incidents, p.739 ↩︎