Taking action
The foundation has been laid for enterprise incident response; only running through mock scenarios and real incidents will find the faults and areas that need to be modified for a more effective and fault-tolerant process. The incident process requires information to be gathered at the identification phase of the incident and throughout the resolution process. There are several pieces of information that should be captured at the time of incident identification and throughout, so that the incident team will know where to focus their efforts, and as the investigation continues and possible scope changes occur, detailed documentation can be developed to be used during and after the incident resolution.
Incident reporting
The sources of incident reporting are many; security tools, analyst observation, and employee awareness. The initial report of an incident may not have all the details, as it may be unknown if there is an incident or not and the scope.
Critical information to capture...
