Charlie looks at the difference between cyber incident management and cyber incident response and the different set of issues they have to deal with in the different teams.
This week, I thought I would write a short technical bulletin. Many people use the terms cyber incident management and cyber incident response interchangeably, but they each have a very different meaning and deal with a different set of issues.
Cyber Incident Management
Cyber incident management looks holistically at the response to a cyber incident and covers the following:
- The reputational response to the incident
- Crisis Management
- Overall communications strategy
- Communicating with stakeholders
- Communicating with regulators and statutory notifications, including the Information Commissioner’s Office
- Recovery prioritisations
- Reassurance of interested parties
- Continuity of operations and delivery of service
- Making key decisions
These are usually carried out by the organisation’s Crisis Management / Strategic Team.
Cyber Incident Response
Cyber incident response looks at the technical recovery after a cyber incident and may be implemented using NIST or CREST frameworks:
- Identification of the incident and analysing what has happened
- Conducting triage of systems
- Incident containment
- Investigation and determining the threat
- Working with their party specialists
- Gathering and preserving evidence
- Forensics
- Eradicating the cause of the incident
- Recover Systems, Data and Connectivity
These are usually carried out by the Computer Incident Response Team (CIRT).