Incident management process
How to structure an incident response plan following NIST SP 800-61 Rev.2.
NIST SP 800-61 Rev. 2 incident response is divided into four phases:
- Preparation
Development of an incident response plan, determination of responsibilities, preparation of tools, contact lists, legal requirements and training of staff. - Disclosure and analysis
Identification of incidents with SIEM, EDR and log file analysis. An incident is classified, prioritised, impact assessed and documented. - Restrictions, prevention and restoration
Limiting the spread of an incident, preventing malware, correcting vulnerabilities, restoring systems and reinforced monitoring. - Post-incident evaluation
Lesson leafned analysis, identification of causes, improvement of the response process and updating of documentation.
Essential: the incident is not only a problem √ it is also the basis for improving security processes and controls.