< All Chief Information Security Officer (CISO) Notes

richardb8006 | Chief Information Security Officer (CISO) | Module 7 - Incident Management

By: richardb8006 | Related Course: Chief Information Security Officer (CISO) | Published: February 10, 2018 | Modified: February 11, 2018
Join Cybrary

NotepadModule 7 - Incident response lifecycle - Preparation

The incident response lifecycle consists out of 6 steps:

  1. Prepare
  2. Identify
  3. Contain
  4. Eradicate
  5. Remediate
  6. Lessons learned


Defines the preparation work that has to be completed prior to having any capability to respond to incidents.

  • Coordinate planning and design
  • Coordinate implementation

Coordinate planning and design

  • Identify incident management requirements
  • Obtain funding and sponsorship
  • Develop Implementation plan

Coordinate implementation

  • Develop policies, processes and plans
  • Establish incident handling criteria
  • Define criticality
  • Evaluate incident management capability
  • Define post-mortem review
  • Define process change procedure

NotepadModule 7 - What is incident response?

  • The ability to prepare for and respond to events that present a negative effect on our network
  • The goal is to limit (as much as possible) disruptions to the network and other business processes
  • Planning must be done well in advance

Planning incident response:

  • incident response team selected and trained
  • formal policies and procedures written and posted
  • necessary tools provided
  • support from senior management

NotepadModule 7 Incident response Lifecycle - Contain

The next step in incident management process is to Contain. 


The triage process is to take the time to sort out, investigate and research what kind of event/incident is going on. 

  • Process of sorting, categorizing, correlating, prioritizing and assigning incoming report/events
  • Analyze what is known, then prioritize
  • Allows events to be managed based on order of criticality

Isolate infected system or network

After the triage process, you want to take the next step which is isolating. In this step you isolate an infected system or network. Make sure forensics measures are taken.

  • Pull network cable
  • Isolate segment
  • Ensure forensics measures are taken

NotepadModule 7 Incident response Lifecycle - Identify

Identify unusual/suspicious activity that might compromise critical business functions or infrastructure.

Proactive detection – conduct detective monitoring regularly

  • Honeypots
  • Scan for unauthorized servers or hosts
  • Analyze network traffic
  • Review audit logs and files

Reactive detection is essential as well to be able to quickly detect and attack

  • Intrusion detection
  • Review audit logs and files


NotepadModule 7 Incident response Lifecycle - Remediate, eradicate and lessons learned

Eradicate and remediate

  • Remove malware
  • Re-image and/or rebuild systems
  • Restore from media
  • Restore from backups
  • Delete/disable accounts
  • System and network device hardening
  • Increase log monitoring
  • Scan systems

Lessons learned

  • Debrief incident response team
  • Document findings
  • Consider modifying security baselines
  • Evaluate responses
  • Re-train if necessary



< All Chief Information Security Officer (CISO) Notes
Join Cybrary

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?