There are four key components of a computer security incident response plan:

  • Preparation: Preparing stakeholders on the procedures for handling computer security incidents or compromises
  • Detection and analysis: Identifying and investigating suspicious activity to confirm a security incident, prioritizing the response based on impact and coordinating notification of the incident
  • Containment, eradication, and recovery: Isolating affected systems to prevent escalation and limit impact, pinpointing the genesis of the incident, removing malware, affected systems and bad actors from the environment and restoring systems and data when a threat no longer remains
  • Post incident activity: Postincident analysis of the incident, its root cause and the organization’s response with the intent of improving the incident response plan and future response efforts.