Incidents are interdicted by timely intelligence and countermeasures.
An intelligence process should be in place to identify potential sources of incidents prior to their occurrence (in most cases), typically through an information sharing approach. For example, if an enterprise depends on a particular protocol or mechanism for part of its protective architecture, as events related to that protocol or mechanism become known through intelligence gathering and sharing, interdiction should be used in anticipation of future exploitation to assure that similar sorts of events won't have serious negative consequences on the enterprise. Countermeasures may range across the spectrum of protective measures.
Incidents are reported to appropriate identified individuals or mechanisms in a timely fashion.
Assuming detection is in place, detections must be reported in a meaningful way to decision mechanisms in order for decisions to be made about how to respond to them. These mechanisms are normally defined so as to apply the right resources to the incident so as to resolve it in time to mitigate potentially serious negative consequences. Without timely reporting, timely response cannot occur.
Decisions are made in a timely fashion and in keeping with pre-defined criteria and requirements.
Decision-making regarding incidents must be appropriate to the incident and made in time to mitigate the potentially serious negative consequences, or those consequences may occur. While some decisions may be made off-the-cuff, most decisions about incidents should be well thought out in advance and practiced so as to meet timeliness and accuracy requirements. This applies to disaster scenarios, business continuity scenarios, and day-to-day event sequences that occur within every enterprise.
Mitigation occurs before consequences reach management defined thresholds.
If mitigation does not occur in time, the negative consequences may be realized. As a result, the objective of the incident handling program is to mitigate before the potentially serious negative consequences reach the management specified thresholds. If no such thresholds are identified, the mitigation approach cannot be defined so as to meet the needs.
Incident conclusion and clean-up occurs with minimum cost and inconvenience.
At the end of an incident, normal operations are typically the desired state. This means that incident termination has to be identified and declared and normal operations resumed. The person or system that makes such a declaration must have defined criteria for making the determination and the return to normalcy should normally include the capacity to deal with future incidents.
Appropriate forensic data is collected and retained as part of the incident handling process.
For cases where it is meaningful or useful to gather forensic evidence associated with an incident, the relevant evidence should be identified, gathered, transported, stored, and handled in a manner appropriate to retaining its forensic value for the purposes intended. This only occurs in cases where properly planning is undertaken and process is properly applied, even during the incident.
After incident analysis is undertaken and reports generated and responded to so as to improve incident handling over time.
After incidents are concluded, it is helpful to do after action reports and analysis to identify limitations or problems with the plan as executed and work toward better approaches for the future. This helps to reduce errors and omissions and optimizes the overall incident handling capability over time.