Training & Certification
Request a Proposal
User Behavior Analytics
By Compliance Requirement
Find a Partner
Events & Webcasts
Training & Certification
IT & Security Fundamentals
News & Press Releases
When a security team detects a threat, it’s essential organizations are ready for what comes next. That requires having a tightly coordinated incident response plan (IRP) and sequence of actions and events assigned to specific stakeholders on a dedicated incident response team. Some businesses may have their own in-house team, some may outsource their incident response services, while others might take a hybrid approach where they outsource technical analysis but manage the rest of the IRP in-house. Either way, this team should have trained and planned for these incident response events well before any trouble rears its head.
A well-coordinated incident response effort should always include:
An organization’s incident response team should include people in positions beyond security and IT. Stakeholders from legal, corporate communications, human resources, and more should also be involved in the preparation and execution of any incident response activity.
Preparation is key to allow for fast action when minutes matter. It’s not ideal to wait until a situation becomes a full-fledged escalated incident to start chasing down and educating stakeholders. Major players should know their responsibilities well ahead of time so that they only need the signal to jump into action. To help ensure team members are trained and empowered enough to take the right actions, at the right time, teams should conduct non-technical tabletop exercises and full breach simulations to run through the technical and non-technical processes.
When preparing for incident response, having the right people on the team is crucial. Every business has its own unique needs, but it’s recommended for organizations to identify specific individuals or teams for the following core functions:
After successfully responding to an incident, it's not time to rest just yet. The incident response team should conduct a post-mortem to learn from the experience—both to fine tune their incident response program specifically, and also to retune their security program overall. What worked, what didn't work, and what could work better or faster? There's no better teacher than experience, so it’ll be important to glean as many lessons as possible from responding to a real incident.