The incident response process involves the analysis of security events (incidents) and the execution or proper responses to those events.
Especially in the context of information security, an incident response plan defines how to react to cyber-attacks or problems with the availability of essential systems.
The Cybermain Governance Platform provides a default implementation of an incident response process.
The process is started once an incident is discovered and it is executed by users having the role of an incident manager
In an organization, this role should be assigned to multiple persons in order to ensure availability.
The first step of the default incident response process is a question-step.
In this step, the decision is made if the incident is an information security incident (left path), a physical security incident (path in the middle)
or an incident that does not fall into one of these two categories (right path).
If the incident can be categorized as information security incident, the next two steps require the incident manager to enter a description and information into a previously defined table.
The table has columns for the time of detection, potential time of occurrence, information about the priority (1-3) and the affected systems.
In the fourth step, a user that is member of the group 'Executive-Management' needs to define and enter a proper response plan.
In the last step, users who have the role 'Vulnerability-Manager' will be informed.
If the incident is categorized as a physical security incident, the process is continued on the path in the middle.
In the subsequent step, the incident manager needs to enter a description.
In the third step, the incident manager needs to fill in a table having columns with information about the time of detection, of occurrence and the current threat-level.
Finally, in the last step of the path in the middle, a member of the group 'Executive-Management' needs to define and enter a response plan.
I the incident could not be categorized into an information security incident or a physical security incident, the process continues with the steps on the right path.
On this path, the incident manager needs to enter a description and members of the group 'Executive-Management' are informed.
Like all the other default processes of the Cybermain Governance Platform, this process can be adapted to an arbitrary organization and used as a template.
Existing steps can be modified or removed and arbitrary new steps can be added.
You can sign-up
for free or contact us
if you have any questions.