Topic > Overview of the Incident Response Process in Information Security

An incident is any event in an information system or network in which the results are abnormal [1]. It can also be considered as a situation different from normal routine operations. There are numerous reasons that can lead to an accident. However, according to the significance, the results can be classified into three classes, generally, which are low-impact accidents, moderate-risk accidents and high-level risk exposure accidents. When incidents occur, the organization will take certain measures to handle abnormal results. These steps are also known as the incident response process. Say no to plagiarism. Get a tailor-made essay on "Why Violent Video Games Shouldn't Be Banned"? Get an original essay The level of response is determined, mainly, by the criticality of the information and also by business decisions. The objectives of an incident response process can be summarized as follows: confirm and resolve the incident; protect and secure evidence; mitigate its influence; to provide reports or recommendations, etc. How incident response will be performed in practice will be related to hardware/software architectures, budget, manpower, resources and effort, etc. When the suspected incident is discovered and characterized, the initial response kicks in. As a cyber first responder, it is your responsibility to do everything possible to mitigate damage or loss of evidence, as evidence can be tampered with or destroyed with the passing of time; and all evidence should be forensically collected and adequately protected. As an indispensable step in the initial incident response, evidence protection and protection play an important role in the incident response process. First of all, the suspect must be removed from the company mail domain and network domain. The system administrator will cancel all your access to any systems and resources. Deactivate and reset all passwords previously used by the suspect. Your access to data storage is also revoked. Secondly, you should take a full backup of each disk configured on your laptop in case any security issues arise. The backup must be encrypted. All emails and Internet browser history should be encrypted and also backed up, so that unwanted person does not have access to this information. So, disable any wired and wireless Internet connection to avoid remote control. Access to the LAN is allowed. A recovery is also required to restore destroyed or lost data. And run antivirus software to remove any potential malware. Booting from CD or USB will be disabled, preventing corruption of evidence due to booting. Meanwhile, the laptop hardware must be encrypted to prevent unwanted access and data corruption. The laptop needs to be examined thoroughly. After all security checks and implementation of protective actions, the evidence will be transported to the organization, where physical security of the evidence laptop is also necessary. It is important to safeguard evidence from tampering and extremes of temperature, humidity, magnetic fields and vibration. Basically, put your laptop in an anti-static bag with foam packing material and then store it in a cardboard box. All evidence must be properly stored in an evidence room with limited access, voice recording capabilities and camera monitoring. By using all the methods mentioned above, the evidence will not be manipulated or damaged.