During which phase of the NIST SP 800-61 Rev 2 incident response process should an organization develop and exercise the incident response plan?
Trap 1: Post-Incident Activity
This phase involves lessons learned and updating the plan after an incident.
Trap 2: Detection and Analysis
This phase involves identifying and triaging incidents, not preparing the plan.
Trap 3: Containment, Eradication, and Recovery
This phase focuses on containing and remediating incidents.
- A
Preparation
Preparation is the first phase where the IR plan, team, and tools are established and exercised.
- B
Post-Incident Activity
Why wrong: This phase involves lessons learned and updating the plan after an incident.
- C
Detection and Analysis
Why wrong: This phase involves identifying and triaging incidents, not preparing the plan.
- D
Containment, Eradication, and Recovery
Why wrong: This phase focuses on containing and remediating incidents.