Incident Response

Nik 99Nik 99 Member Posts: 154 ■■■□□□□□□□
This might be a misunderstanding on my part, but it looks to me that security incident response can't make up it's mind if it's a 4, 5, 6 or 7 step process? I noticed during my practice exams that one exam said it was 4 steps, the other test platform says its 5. Then I went and googled it and it only got more confusing with 7 steps popping up. Can any elaborate on this? or just clear up the misunderstanding if there is one.


  • cyberguyprcyberguypr Mod Posts: 6,927 Mod
    There is no universal definition/process that acts as single authoritative source. For example, SANS uses the PICERL acronym: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. NIST 800-61 uses Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-Incident Activity. Random security companies will come up with more or less steps as it fits their agenda. The essence is all the same. Rather than trying to circumscribe it to a specific number of steps, understand what exactly happens in each phase. You are more likely to be asked questions along these lines.
  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Id probably look at the Security+ Objectives:

    Specifically section 2.5, Common Incident Response Procedures, and just learn what those are.
  • Nik 99Nik 99 Member Posts: 154 ■■■□□□□□□□
    Thank you for clearing that up Cyberguypr. I was beginning to think I'd asked a stupid question seeing that my post was just sitting here unanswered for 2 days.

    This is somewhat disconcerting to me though because it's a thing thats come up in practice exams. I'm of the opinion they shouldn't really ask you questions such as "Spot the odd one out in the 5 step incident response life cycle," when there isn't any real concensus. It's not the same as asking a question about a layer in the OSI / TCP model.
Sign In or Register to comment.