RS.MA-03.316

Does your organization have a documented process for selecting incident response strategies that balance rapid recovery with investigation needs during active incidents?

Explanation

This question assesses whether your organization has a formal approach to incident response that considers both the urgency of restoring operations and the potential value of monitoring attacker behavior or conducting thorough investigations. For example, immediately shutting down compromised systems may stop an attack but destroy valuable forensic evidence, while allowing limited continued access under monitoring might reveal the attacker's methods and targets. Evidence could include an incident response playbook that outlines decision criteria for different types of incidents, defining when to prioritize immediate containment versus extended investigation. The playbook should include decision trees or matrices that help incident responders determine the appropriate balance based on factors such as incident severity, affected systems, and business impact.

Implementation Example

Select incident response strategies for active incidents by balancing the need to quickly recover from an incident with the need to observe the attacker or conduct a more thorough investigation

ID: RS.MA-03.316

Context

Function
RS: RESPOND
Category
RS.MA: Incident Management
Sub-Category
Incidents are categorized and prioritized

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron