Incident management is the activity designed to handle a control failure that leads to a breach. Incident management is the process of identifying, analyzing, responding to, and learning from security incidents that may compromise the confidentiality, integrity, or availability of information assets. Incident management aims to minimize the impact of a breach, restore normal operations as quickly as possible, and prevent or reduce the likelihood of recurrence. Incident management involves several steps, such as:
Establishing an incident response team with clear roles and responsibilities
Developing and maintaining an incident response plan that defines the procedures, tools, and resources for handling incidents
Implementing detection and reporting mechanisms to identify and communicate incidents
Performing triage and analysis to assess the scope, severity, and root cause of incidents
Containing and eradicating the threat and preserving evidence for investigation and legal purposes
Recovering and restoring the affected systems and data to a secure state
Evaluating and improving the incident response process and controls based on lessons learned and best practices
References = CISM Review Manual, 16th Edition, ISACA, 2021, pages 223-232.
