Incident response Study Guide

📖 Core Concepts Incident – Any event that could cause loss or disruption to an organization’s operations, services, or functions. Incident Management – The organized set of activities to identify, analyse, and correct hazards so they don’t recur. Incident Management Lifecycle – Six‑step cycle: Detection → Classification → Response Coordination → Containment → Recovery → Post‑incident Review. Incident Commander (IC) – Leader who directs the response team according to the Incident Command System (ICS). Active Failure – Immediate‑effect action that can cause an accident (e.g., pressing the wrong button). Latent Failure – Hidden condition created by higher‑level decisions; may lie dormant for years until a trigger occurs. Critical Infrastructure – Essential services (e.g., power, water, communications) whose disruption threatens public safety, economy, or national security. --- 📌 Must Remember Key Goal: Return the organization to “business‑as‑usual” as quickly as possible while limiting impact. NIMS / NIMS Framework – U.S. National Incident Management System provides the national standard for coordinated response. HIPAA Security Rule – Requires documented security‑incident procedures for electronic protected health information (ePHI). Human‑Factor Rule: Both active and latent failures must be examined in root‑cause analysis. Real‑time Response: Physical incident management may last hours, days, or longer; it is the immediate phase of the lifecycle. Service‑Level Agreement (SLA) Benchmark: “Normal service operation” = performance within SLA parameters. --- 🔄 Key Processes Incident Detection – Monitor alerts, logs, or physical signs; distinguish true incidents from noise. Classification – Assign severity, impact, and priority (e.g., high‑impact vs low‑impact). Response Coordination Activate Incident Commander. Mobilize Incident Response Team (IRT) or Incident Management Team (IMT). Follow pre‑defined communication protocols. Containment – Isolate affected assets, stop spread (e.g., network quarantine, fire suppression). Recovery – Restore services to SLA‑defined levels; verify integrity before hand‑off. Post‑incident Review Conduct root‑cause analysis (active + latent). Feed findings back into policies, training, and controls. --- 🔍 Key Comparisons Active Failure vs. Latent Failure Active: Immediate cause, visible, directly leads to incident. Latent: Hidden, created by organizational decisions, only triggers when combined with an active failure. Incident Response Team vs. Incident Management Team IRT: Tactical group that executes containment/recovery steps. IMT: Strategic/oversight body that sets priorities, allocates resources, and communicates with executives. Physical Incident Management vs. Computer Security Incident Management Physical: Real‑time, often multi‑hour/days, deals with fire, hazardous material, etc. Computer Security: Primarily digital evidence, may involve longer forensic timelines, but still follows the same lifecycle. --- ⚠️ Common Misunderstandings “Incident = Accident.” – An incident is potential loss; an accident is the realized loss. “Only IT staff handle security incidents.” – Effective response needs cross‑functional coordination (facilities, HR, legal). “Latent failures are irrelevant because they’re hidden.” – Ignoring latent failures lets the same systemic weaknesses cause repeat incidents. “Post‑incident analysis is optional.” – Without it, the feedback loop to policies never closes, increasing recurrence risk. --- 🧠 Mental Models / Intuition “Swiss‑Cheese Model” – Imagine each layer of defense as a slice of cheese with holes (latent failures). An incident occurs when holes align, letting a hazard pass through. “Fire‑Triangle for Failures” – Fuel (latent condition) + Ignition (active failure) = Fire (incident). Remove any side and the incident is prevented. --- 🚩 Exceptions & Edge Cases Hybrid Causes – Critical‑infrastructure incidents often combine cyber and physical elements; treat them with integrated emergency‑management & cybersecurity procedures. Extended Real‑Time Response – Some physical incidents (e.g., oil spill) may require weeks of on‑scene management; still start with the same detection → classification steps. Regulatory Overrides – HIPAA‑covered entities must report certain breaches within 60 days, regardless of internal timelines. --- 📍 When to Use Which Use NIMS/ICS when the incident spans multiple agencies, jurisdictions, or involves public‑safety resources. Deploy a Dedicated Computer Security Incident Response Team (CSIRT) for unauthorized access, malware, or data‑exfiltration events. Activate Physical Incident Management Protocols for fires, hazardous material releases, or infrastructure failures. Apply IT Service Management (ITSM) Incident Process for SLA‑driven service degradations, alerts, or user‑reported outages. --- 👀 Patterns to Recognize Alert Flood → Noise vs. True Incident – Sudden spike in similar alerts often signals a systemic issue rather than isolated events. Repeated Same‑Root Causes – If the same latent failure recurs across incidents, it signals a policy or design flaw. Cross‑Domain Trigger – A cyber breach that disables safety‑system controls, leading to a physical hazard, is a hallmark of hybrid incidents. --- 🗂️ Exam Traps Choosing “Incident = Accident” – Exams will test that an incident is a potential disruption, not a confirmed loss. Confusing Active vs. Latent Failure – Look for wording that emphasizes “immediate effect” vs. “hidden condition”. Assuming All Incident Teams Are the Same – Remember the tactical (IRT) vs. strategic (IMT) distinction. Over‑generalizing NIMS – NIMS applies to national or multi‑agency responses; a single‑site IT outage uses ITSM processes instead. Ignoring SLA Context – Restoring service outside SLA parameters is still an incident, but the performance target defines “normal operation”. ---