Before getting into the best way to respond to an incident, it is necessary to define a few terms. A security policy is a high-level description of how an organization defines a secure environment. An organization’s security policy defines the strategy of the organization for enforcing and maintaining a secure environment. It contains all the definitions of appropriate and inappropriate behavior; requirements to protect defined sensitive resources; and any external requirements that must be satisfied, such as customer or vendor requirements, regulations, and legislation. A security control is a technical or nontechnical mechanism that enforces the security policy. Far too many organizations have controls in place that do not specifically satisfy any aspect of the security policy. All security should start with the security policy. If a situation arises that is not addressed in the security policy, the policy should be reviewed and revised. Then, new or modified controls may be needed to satisfy the modified policy. Any security control that does not satisfy any part of the security policy should be removed, or the policy should be updated to cover the need for the control.

Lots of things happen in any computing environment. Users log on, access resources, and log out. During sessions, lots of traffic flows around your network. Each “thing” that happens in a computing environment is called an event. An event is any observable occurrence in a computer, device, or network. Think of an event as being anything that you may see reported in a log file. Events can be good or bad. Any event that results in a violation of or poses an imminent threat to the security policy is called an incident. An incident can occur at any point from the desktop or mobile device level to the servers and infrastructure that make the network work. A security incident can be anything, including accidental actions that result in a problem, up to and including downright malicious actions. Regardless of why a security incident occurred, the organization must respond appropriately.