Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a step-by-step process that should be followed when an incident occurs.
What is a computer security incident?
Each organization will need to define what a computer security-incident is for their site. Examples of general definitions for a computer security-incident might be:
- Any real or suspected adverse event in relation to the security of computer systems or computer networks
- The act of violating an explicit or implied security policy
Examples of incidents could include activity such as:
- attempts (either failed or successful) to gain unauthorized access to a system or its data
- unwanted disruption or denial of service
- unauthorized use of a system for the processing or storage of data
- changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent
Computer security incident activity can be defined as network or host activity that potentially threatens the security of computer systems.