Incident Response Process Flow Chart


Incident Response Process Flow Chart

Ensuring incident response procedures are efficient and effective is key to many organisations in the modern era as malicious attacks become more and more common. While prevention is ideal, a mature response process to any malicious activity is an absolute necessity. Incident response procedures form part of an identify, isolate and respond triangle that, if effective, can reduce the risk against organisational assets significantly. So, how can you ensure incident response processes are effective? Well, the first is to ensure that incident response process flow charts are well defined in the form of an incident response policy.

Policies should be documented, communicated to all staff and accessible in a central repository. Staff should be educated on how to report an incident and technical staff should understand the process when an incident is raised. Mature incident response processes are those that have been tested and perform to expectations. Let’s take an example. If malware were to break out across your infrastructure with the potential impact to bring down your entire organisation, you would want to ensure that this malware is identified and isolated immediately to prevent further propagation. While technical controls should hopefully pick up most strains, there will always be one type of malware that gets through and it is in this case that you are reliant on users picking this up and incident response procedures to deal with this efficiently.


An effective incident response flow chart highlights three key stages “Identify, Isolate and Respond”

The image above represents a good incident response process flow chart, highlighting three key areas: detect, triage and respond. This is effectively identify, isolate and respond. In this image, you can see that multiple inputs from passive network monitoring to incident and vulnerability reports provide input to identifying incidents. There are multiple methods of identifying incidents and these can be proactive, looking for vulnerabilities, or reactive, responding to reported incidents/vulnerabilities. To document an effective incident response process flow chart, all inputs should be denoted.

In the triage section of the incident response process flow chart, network engineers will investigate the incident or vulnerability. There should be a defined process for investigation and this should be documented in the form of an incident log. You can consider using software packages to track open incidents and these can be marked as complete once rectified.

The final stage is to respond. This is where you will determine how to respond to the incident. A clear escalation process should be defined in the case of a serious incident that highlights third parties to communicate with in the case of a serious incident e.g. police and information commissioners office if mass personal data exfiltration occurs. These processes should be well understood, from a business and compliance perspective, and individuals should be aware of their responsibilities. The respond stage should always include a lessons learned to reduce the possibility of this type of incident reoccurring.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *