Cybersecurity Incident Response and Management

Cybersecurity Incident Response and Management

DOI: 10.4018/978-1-7998-4162-3.ch002
(Individual Chapters)
No Current Special Offers


This chapter presents a systematic literature review on best practices regarding cybersecurity incident response handling and incident management. The study identifies incident handling models that are used worldwide when responding to any type of cybersecurity incident. The authors highlight the importance of understanding the current cyber threat landscape in any incident response team and their standard operations procedures. The chapter provides guidelines for building a cybersecurity incident team in terms of incident categorization, capabilities, tasks, incident cost calculation, and metrics.
Chapter Preview

Incident Handling Models

According to ISACA (2012), Incident Management is the capability to effectively manage unexpected disruptive events with the objective of minimizing impact and maintaining or restoring normal operations within defined time limits. Subsequently, Incident response is considered as a subset of incident management as the operational capability of incident management that identifies, prepares, responds to incidents to controls to control and limit damage; provides forensic and investigative capabilities; maintaining, recovering and restoring normal operations based on the service level agreements (SLAs).

According to Oriyano et al. (2020), an incident is defined as any violation or impending of the security policy. Existing corporate security policies clearly define what events are considered cyber incidents, contain procedures and guidelines for responding to cyber incidents and define clear course of action to deal with detection and response to security incidents.

Table 1 shows the most relevant incident handling and management models:

Table 1.
Cybersecurity incident handling and management models
Name of the modelPhases
Donaldson et al. (2015): Incident Response ProcessIdentify, investigate, collect, report, contain, repair, remediate, validate, report conclusions and resume normal IT operations
CREST (2014): Cyber security incident management capabilityPrepare, respond and follow up
NIST (2012): The Incident Response Life CyclePreparation; detection & analysis, containment; eradication & recovery and post-incident activity
ISACA (2012): Incident Management Life CyclePlanning and preparation; detection, triage and investigation; containment, analysis, tracking and recovery; postincident assessment and incident closure
SANS (2011): Incident handling step-by-stepPreparation, identification, containment, eradication, recovery and lessons learned
ISO/IEC 27035 (2011): Information Security Incident ManagementPlan and prepare; detection and reporting; assessment and decision; responses and lessons learnt
ENISA (2010): Incident handling processReport, registration, triage, incident resolution, incident closure and post-analysis
Kennedy (2008): Modified small business approach for incident handlingDevelop a security policy, protect computer equipment, keep data safe, use Internet safely, protect the network, secure line of business applications and training
CERT/CC (2003) Incident handling life-cycle processReport, analyze, obtain contact information, provide technical assistance, coordinate information & response and provide resolution

Key Terms in this Chapter

Cybersecurity Event: Things that happen in particular situation that affect cybersecurity areas.

Cybersecurity Incident: Critical events that compromise normal operations of cyber assets within any organization.

Complete Chapter List

Search this Book: