Incident Response Steps
Incident Response Steps
A checklist for all stages of an incident
Incidents happen to all businesses. Because they’re unavoidable, we have to know how to handle them when they do happen. A good incident response program is paramount to the overall success of your security program.
This checklist will help you:
- Decide what to do as you build an internal incident response program
- Understand how to classify incidents
- Work cohesively with an incident response provider to triage the incident
- Execute a post-cleanup strategy
Free Resource
Download our free Incident Response Steps Checklist now.
DOWNLOAD CHECKLISTIncident Response Steps Checklist
Before the Incident
- Understand your insurance policy
- Someone has reviewed it
- We know what they cover and what they won’t
- Have a plan in place
- Define roles
- Public relations
- Our messaging is tight
- Legal
- Public relations
- Define communication channels
- Know what laws you’re bound to
- Know how to contact law enforcement
- Define roles
- Practice the plan
- Be proactive with your security measures
- We’ve completed an annual risk assessment
- We’ve at least had a vulnerability scan
Incident Classification
- We know what the incident is
- We know what assets or systems it affects
- We know what legal or compliance requirements we have
After Classification
- Decide if the internal team can handle it
- Know what your insurance policy requires
- Follow your plan
- Contain the incident/event
- Call your CSIRT to help when the incident is past expertise
- Reminder: Good at IT ≠ good at security or incident response
During the CSIRT Engagement
- Work in tandem with the CSIRT to handle the incident wheWe asked
- Follow the CSIRT plan & trust the CSIRT fully
- Don’t remove anything that the team has implemented
- Assist in containing the event when asked
- Preserve and isolate evidence so the CSIRT can analyze it
- Work with the CSIRT to eradicate when asked
Recovery
- Get back to where you were before it happened
- Bring in aspects of your disaster recovery plan
Follow Up
- Reporting
- Regular updates with insurance
- Days and dollars to containment
- Lessons learned
- Decide what to change to prevent this from happening again
- Improve your plan
- Get an up-to-date risk assessment