Incident management and response is the process that deﬁnes how a business handles a security breach. The goal is to limit potential negative consequences — brand reputation, ﬁnancial costs, penalties and/or time to recover. The incident response plan — ideally developed cross-functionally — includes policies, deﬁnitions, roles, processes and tasks.
Following an incident that involves sensitive information, a forensics team creates a plan and conducts an investigation to identify relevant digital evidence and determine the scope of a breach. Relevant electronic data must be collected and managed according to strict procedures. PCI Forensic Investigators (PFIs) specialize in payment card industry (PCI) breaches.
When an incident involves e-discovery, organizations execute a legal hold process to notify all parties to a litigation to preserve relevant information. Software automates many aspects of legal hold, including legal notices and reporting, to help ensure that the process is executed in a defensible manner that meets deadlines.
Containment strategies and technologies vary, but the goal is to limit the damage caused by an incident and prevent whatever caused the damage from spreading. Isolation products segregate and enclose a network or system that may be infected or exhibits vulnerabilities. This creates a barrier that prevents malware from escaping and causing damage.
Malware elimination involves removal of executables as well as any artifacts from an infected system or endpoint. Remediation addresses the root causes of a breach.