Cyber incident response is
|“||[a] way to minimize possible impacts of cyber security incidents and assist in the identification, classification, response, and reporting of cyber security incidents related to critical cyber assets.||”|
A cyber incident response capability must include several elements that are proactive in nature to prevent an incident or better allow the organization to respond when one occurs. These elements are green in Figure 1 and include planning, incident prevention, and post-incident analysis/forensics. Other elements center on detecting and managing an incident once it occurs. These are reactive in nature and are typically carried out under severe time constraints and great visibility. These elements, shown in red in Figure 1, include detection, containment, remediation, and recovery and restoration.
- ↑ IT Security Essential Body of Knowledge (EBK): A Competency and Functional Framework, App. B, Glossary.
- (Overview section and graphic): Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability, at 3.