Incident Response Plan

● Incident Response Plan
● Detection
● Prevention
● Response

Incident Response Plan:
Incident Response Planning is the documented and coordinated method of
addressing and managing a security breach or attack.
This incident response plan outlines: The response personnel and the
strategies that will be used to mitigate the incident
Incident response enables an organization to be prepared for the unknown as
well as the known incident.

Incident Response Plan:
1. Detection:
Incident Response Plan:
2. Prevention:
Incident Response Plan:
3. Response:
Steps for IRP:
The key phases of an incident response plan:
1. Preparation: Preparing users and IT staff to handle potential
2. Identification: Determining the incident
3. Isolation: Limiting the damage of the incident and isolating affected
systems to prevent further damage
Steps for IRP:
4. Elimination: Finding the root cause of the incident, removing
affected systems from the production environment
5. Recovery: Permitting affected systems back into the production
environment, ensuring no threat remains
6. Analysis & Documentation: Completing incident documentation,
performing analysis to learn from the incident and potentially
improve future response efforts
Security information and event management (SIEM) is an approach to security
SIEM provide an integrated view of an organization’s information technology
(IT) security.
It is used in large enterprise or organizations.
SIEM is an industry-standard term, with a composition of 2 term:
1. SEM (Security Event Management)
2. SIM (Security Information Management)

SIEM is a two part process:
SEM based on the Real-time monitoring of security events. It monitor the
entire enterprise edge devices and save the database to a location that
support single viewpoint review.
SIM manages the database which is reviewed and analyzed by automated
and human interpreters.
Steps to Cybersecurity
Implement an effective governance structure, maintain board engagement
produce appropriate information security policies which should include:
User education and awareness training
Monitoring policies and procedures for all networks and systems
Incident management procedures, including response and disaster recovery
Network security policies and procedures
Management and control of user privileges
Secure configuration guidance
Malware protection procedures
Control of removable media usage
Monitoring of mobile and home working procedures