Principles of Incident Response & Disaster Recovery

IR Strategy is defined as means and mechanism to bring the systems back to normality by restoring operations after the incident. There are two philosophies:

1) protect and forget and

2) apprehend and prosecute.  Each company will have to determine which philosophy to follow and under what circumstances. The incident commander must first assess the situation after the breach. The assessment will look at what type of incident occurred, how much information was destroyed or stolen, and how to best tell the public. The commander will also be responsible to determine how the breach occurred and how to keep this breach from occurring in the future.  The incident commander will also confirm the incident and how to escalate the situation if necessary. Incident recovery maintains that all systems must be reestablished to the pre-incident status.  The CSIRT leader must determine the appropriate response based on the variables of the breach type, the method of incursion, the current level of loss, and the sensitivity of the information breached.  A containment strategy should be written and include the details of how the organization will handle theft and damage to assets.

