What is an incident response plan?
D4 ยท Operations ยท CompTIA Security+ SY0-701An incident response plan (IRP) is a documented, structured approach for handling security incidents โ from preparation through recovery.
The NIST incident response lifecycle has 4 phases:
1๏ธโฃ Preparation โ policies, tools, team training
2๏ธโฃ Detection & Analysis โ identify and scope the incident
3๏ธโฃ Containment, Eradication & Recovery โ stop spread, remove threat, restore systems
4๏ธโฃ Post-Incident Activity โ lessons learned, improve defenses
The NIST incident response lifecycle has 4 phases:
1๏ธโฃ Preparation โ policies, tools, team training
2๏ธโฃ Detection & Analysis โ identify and scope the incident
3๏ธโฃ Containment, Eradication & Recovery โ stop spread, remove threat, restore systems
4๏ธโฃ Post-Incident Activity โ lessons learned, improve defenses
Know the NIST 4-phase IR lifecycle. SANS uses a 6-phase model: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. "Lessons learned" is always the last phase. The incident response team (CSIRT/SOC) executes the plan.