Incident Response

Last updated on May 25, 2020

Organizations should have the mindset “when we get breached” not “if we get breached” as the occurrence of most incidents cannot be determined, and a plan should be in place to ensure a coordinated effort of response activities. An incident response (IR) plan should contain roles and responsibilities and should list members (and alternatives) of a Security Incident Response Team (SIRT). Additionally, IR playbooks should be in place for various incident types. Incident handling should follow industry standard (i.e. Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned (PICERL)).

Expert Opinion - Incident Management and Response

Control Objective

Plan is documented, followed, reviewed, updated, and tested regularly
Dedicated, virtual, or on-retainer team to lead response activities
Identify roles and responsibilities in advance (e.g.. communications)
Address preparation, identification, containment, eradication, recovery, lessons learned, and ensure chain of custody, impartiality, and follow evidence

Resources

Security Incident Response Plan - Template

SIRT Terms of Reference

Did you find what you were looking for?

The B.C. Public Service acknowledges the territories of First Nations around B.C. and is grateful to carry out our work on these lands. We acknowledge the rights, interests, priorities, and concerns of all Indigenous Peoples - First Nations, Métis, and Inuit - respecting and acknowledging their distinct cultures, histories, rights, laws, and governments.

More topics

Incident Response

Expert Opinion - Incident Management and Response

Control Objective

Resources