# Incident Management [[Incident Management]] is an [[Incident Containment]] capability. It is one of the first capabilities that an organization requires in order to start the process for handling unauthorized access to an organization's resources. It ensures that incidents are managed efficiently to minimize impact on business operations. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- E[[Incident Containment]] E --- E.1[[Alert Correlation]] E --- E.2[[Case Management]] E --- E.3[[Incident Management]] E --- E.4[[Forensic Analysis]] E --- E.5[[Asset Restoration]] E --- E.6[[Abuse Reporting]] E --- E.7[[Failure Tracing]] E.3 --- E.3.1[[Incident Triage]] E.3.1 --- E.3.2[[War Room Management]] E.3.2 --- E.3.3[[Resource Quarantine]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6,E.7,E.3.1,E.3.2,E.3.3 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6,E.7 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class E.3 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition >[!success] Definition  >**Incident Management** is the process of managing the lifecycle of incidents to restore normal service operation as quickly as possible, minimizing the impact on business operations and ensuring that incidents are efficiently handled. ## Goals > [!cm-goal] Goal 1  > **Rapid Restoration** - Quickly restore normal service operations to minimize business impact. > [!cm-goal] Goal 2  > **Efficient Handling** - Ensure incidents are handled efficiently to reduce downtime and disruption. > [!cm-goal] Goal 3  > **Accurate Categorization** - Properly categorize incidents to ensure appropriate prioritization and response. > [!cm-goal] Goal 4  > **Effective Communication** - Maintain clear communication with stakeholders throughout the incident lifecycle. ## Scope The scope of Incident Management covers all incidents that disrupt or degrade IT services, ensuring they are managed efficiently to restore normal operations. ## Process ```mermaid flowchart LR A1[Cases <br /> as Input] --> B[1. Triage <br /> Cases] B --> C[2. Manage <br /> War Room] C --> D[3. Quarantine <br /> Systems] ``` ## Metrics >[!cm-metric] Metric: [[% of Incidents related to a known vulnerability]] >[!cm-metric] Metric: [[% of Incidents related to a known risk]] >[!cm-metric] Metric: [[% of Incidents that were predictable]] >[!cm-metric] Metric: [[% of Incidents that were unpredictable]] >[!cm-metric] Metric: [[Average number of hours per incident]] > [!cm-metric] Metric: [[% of Incidents Resolved within SLA]] > [!cm-metric] Metric: [[Mean Time to Resolve an Incident]] > [!cm-metric] Metric: [[% of Incidents Reopened]] > [!cm-metric] Metric: [[% of Incidents with Complete Documentation]] > [!cm-metric] Metric: [[% of Incidents Leading to Policy Changes]] > [!cm-metric] Metric: [[% of Incidents with Root Cause Analysis]] > [!cm-metric] Metric: [[% of Incidents with Corrective Actions Implemented]] > [!cm-metric] Metric: [[% of Incidents Leading to Training and Awareness]] ## Inspiration & Resources + [Cloud Incident Response Framework | CSA (cloudsecurityalliance.org)](https://cloudsecurityalliance.org/artifacts/cloud-incident-response-framework) + [Cybersecurity Incident Response | CISA](https://www.cisa.gov/topics/cybersecurity-best-practices/organizations-and-cyber-safety/cybersecurity-incident-response) + [CSIRT Services Framework Version 2.1 (first.org)](https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1) + [Incident Response | CSRC (nist.gov)](https://csrc.nist.gov/projects/incident-response) + [Respond | NIST](https://www.nist.gov/cyberframework/respond) + [Incident response overview | Microsoft Learn](https://learn.microsoft.com/en-us/security/operations/incident-response-overview) + [What is Incident Response? | IBM](https://www.ibm.com/topics/incident-response) + [Cyber Security Incident Management Plan- Complete Guide (eccouncil.org)](https://www.eccouncil.org/cybersecurity-exchange/incident-handling/what-is-incident-management-response/) ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.