Roadmap

Incident management process

How to structure an incident response plan following NIST SP 800-61 Rev.2.

NIST SP 800-61 Rev. 2 incident response is divided into four phases:

  1. Preparation
    Development of an incident response plan, determination of responsibilities, preparation of tools, contact lists, legal requirements and training of staff.
  2. Disclosure and analysis
    Identification of incidents with SIEM, EDR and log file analysis. An incident is classified, prioritised, impact assessed and documented.
  3. Restrictions, prevention and restoration
    Limiting the spread of an incident, preventing malware, correcting vulnerabilities, restoring systems and reinforced monitoring.
  4. Post-incident evaluation
    Lesson leafned analysis, identification of causes, improvement of the response process and updating of documentation.

Essential: the incident is not only a problem √ it is also the basis for improving security processes and controls.