An incident response plan (IRP) is a set of written instructions for detecting, responding to and
limiting the effects of an information security event.Incident response plans provide instructions
for responding to a number of potential scenarios, including data breaches, denial of
service/distributed denial of service attacks, firewall breaches, virus or malware outbreaks or
insider threats. Without an incident response plan in place, organizations may either not detect
the attack in the first place, or not follow proper protocol to contain the threat and recover from it
when a breach is detected.
According to the SANS Institute, there are six key phases of an incident response plan:
1. Preparation: Preparing users and IT staff to handle potential incidents should they should arise
2. Identification: Determining whether an event is indeed a security incident
3. Containment: Limiting the damage of the incident and isolating affected systems to prevent
further damage
4. Eradication: Finding the root cause of the incident, removing affected systems from the
production environment
5. Recovery: Permitting affected systems back into the production environment, ensuring no
threat remains
6. Lessons learned: Completing incident documentation, performing analysis to ultimately learn
from incident and potentially improve future response efforts
It is important that an incident response plan is formulated, supported throughout the
organization, and is regularly tested. A good incident response plan can minimize not only the
affects of the actual security breach, but it may also reduce the negative publicity.
From a security team perspective, it does not matter whether a breach occurs (as such
occurrences are an eventual part of doing business using an untrusted carrier network, such as the
Internet), but rather, when a breach occurs. Do not think of a system as weak and vulnerable; it is
important to realize that given enough time and resources, someone can break into even the most
security-hardened system or network. You do not need to look any further than the Security
Focus website at http://www.securityfocus.com/ for updated and detailed information concerning
recent security breaches and vulnerabilities, from the frequent defacement of corporate
webpages, to the 2002 attacks on the root DNS nameservers[1].
The positive aspect of realizing the inevitability of a system breach is that it allows the security
team to develop a course of action that minimizes any potential damage. Combining a course of
action with expertise allows the team to respond to adverse conditions in a formal and responsive
manner.
The incident response plan itself can be separated into four phases:
Immediate action to stop or minimize the incident
Investigation of the incident
Restoration of affected resources
Reporting the incident to the proper channels
Solution
An incident response plan (IRP) is a set of written instructions for detecting, responding to and
limiting the eff.
An incident response plan (IRP) is a set of written instructions for.pdf
1. An incident response plan (IRP) is a set of written instructions for detecting, responding to and
limiting the effects of an information security event.Incident response plans provide instructions
for responding to a number of potential scenarios, including data breaches, denial of
service/distributed denial of service attacks, firewall breaches, virus or malware outbreaks or
insider threats. Without an incident response plan in place, organizations may either not detect
the attack in the first place, or not follow proper protocol to contain the threat and recover from it
when a breach is detected.
According to the SANS Institute, there are six key phases of an incident response plan:
1. Preparation: Preparing users and IT staff to handle potential incidents should they should arise
2. Identification: Determining whether an event is indeed a security incident
3. Containment: Limiting the damage of the incident and isolating affected systems to prevent
further damage
4. Eradication: Finding the root cause of the incident, removing affected systems from the
production environment
5. Recovery: Permitting affected systems back into the production environment, ensuring no
threat remains
6. Lessons learned: Completing incident documentation, performing analysis to ultimately learn
from incident and potentially improve future response efforts
It is important that an incident response plan is formulated, supported throughout the
organization, and is regularly tested. A good incident response plan can minimize not only the
affects of the actual security breach, but it may also reduce the negative publicity.
From a security team perspective, it does not matter whether a breach occurs (as such
occurrences are an eventual part of doing business using an untrusted carrier network, such as the
Internet), but rather, when a breach occurs. Do not think of a system as weak and vulnerable; it is
important to realize that given enough time and resources, someone can break into even the most
security-hardened system or network. You do not need to look any further than the Security
Focus website at http://www.securityfocus.com/ for updated and detailed information concerning
recent security breaches and vulnerabilities, from the frequent defacement of corporate
webpages, to the 2002 attacks on the root DNS nameservers[1].
The positive aspect of realizing the inevitability of a system breach is that it allows the security
team to develop a course of action that minimizes any potential damage. Combining a course of
action with expertise allows the team to respond to adverse conditions in a formal and responsive
manner.
The incident response plan itself can be separated into four phases:
Immediate action to stop or minimize the incident
2. Investigation of the incident
Restoration of affected resources
Reporting the incident to the proper channels
Solution
An incident response plan (IRP) is a set of written instructions for detecting, responding to and
limiting the effects of an information security event.Incident response plans provide instructions
for responding to a number of potential scenarios, including data breaches, denial of
service/distributed denial of service attacks, firewall breaches, virus or malware outbreaks or
insider threats. Without an incident response plan in place, organizations may either not detect
the attack in the first place, or not follow proper protocol to contain the threat and recover from it
when a breach is detected.
According to the SANS Institute, there are six key phases of an incident response plan:
1. Preparation: Preparing users and IT staff to handle potential incidents should they should arise
2. Identification: Determining whether an event is indeed a security incident
3. Containment: Limiting the damage of the incident and isolating affected systems to prevent
further damage
4. Eradication: Finding the root cause of the incident, removing affected systems from the
production environment
5. Recovery: Permitting affected systems back into the production environment, ensuring no
threat remains
6. Lessons learned: Completing incident documentation, performing analysis to ultimately learn
from incident and potentially improve future response efforts
It is important that an incident response plan is formulated, supported throughout the
organization, and is regularly tested. A good incident response plan can minimize not only the
affects of the actual security breach, but it may also reduce the negative publicity.
From a security team perspective, it does not matter whether a breach occurs (as such
occurrences are an eventual part of doing business using an untrusted carrier network, such as the
Internet), but rather, when a breach occurs. Do not think of a system as weak and vulnerable; it is
important to realize that given enough time and resources, someone can break into even the most
security-hardened system or network. You do not need to look any further than the Security
Focus website at http://www.securityfocus.com/ for updated and detailed information concerning
recent security breaches and vulnerabilities, from the frequent defacement of corporate
webpages, to the 2002 attacks on the root DNS nameservers[1].
The positive aspect of realizing the inevitability of a system breach is that it allows the security
3. team to develop a course of action that minimizes any potential damage. Combining a course of
action with expertise allows the team to respond to adverse conditions in a formal and responsive
manner.
The incident response plan itself can be separated into four phases:
Immediate action to stop or minimize the incident
Investigation of the incident
Restoration of affected resources
Reporting the incident to the proper channels