Incident life cycle

Every incident that starts must have an end, and what happens in between the beginning and the end are different phases that will determine the outcome of the response process. This is an ongoing process that we call the incident life cycle. What we have described until now can be considered the preparation phase. However, this phase is broader than that—it also has the partial implementation of security controls that were created based on the initial risk assessment (this was supposedly done even before creating the incident response process).

Also included in the preparation phase is the implementation of other security controls, such as:

• Endpoint protection
• Malware protection
• Network security

The preparation phase is not static, and you can see in the following diagram that this phase will receive input from post-incident activity.

The other phases of the life cycle and how they interact are also shown in this diagram:

The DETECTION and CONTAINMENT phase could have multiple interactions within the same incident. Once the loop is over, you will move on to the post-incident activity phase. The sections that follow will cover these last three phases in more detail.