Responses to cybersecurity incidents are executed, at least in an ad hoc manner, to limit impact to the function and restore normal operations
Context and Guidance: Responding to an incident describes the actions the organisation takes to prevent or contain the impact of an incident while it is occurring or shortly after it has occurred. The range, scope, and breadth of the response will vary widely depending on the nature of the incident. This may include potential incidents that may occur due to new vulnerabilities or technological advances that have a significant potential impact on the organisation, such as vulnerabilities in commonly used technologies (e.g., MS17-010) and emerging technologies that would reduce the effectiveness of current cybersecurity controls (e.g., quantum computing). Incident response may be as simple as notifying users to avoid opening a specific type of email message or as complicated as having to implement service continuity plans that require relocation of services and operations to an off-site provider. The actions related to incident response might include, for example, containing damage (e.g., by taking hardware or systems offline), communicating to asset owners about the incident, and developing and implementing corrective actions and controls.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RESPONSE-3b, RESPONSE-3e, RESPONSE-3h, RESPONSE-3i, RESPONSE-3l.