Skip to content

IR high incident process

Incident Response - High Incident Process
(Company Name))

Overview

A High Incident can have material business and financial impact to the organization. It is imperative to resolve the incident quickly and efficiently while minimizing impact to Industrial Control Systems, customer service, customer information and safety. A High Incident requires full engagement by the CIRT.
The classification criteria for a High Incident are as follows:

Criticality Criteria Business Impacts Resources
High Malicious code: Single malware variant on 25+ hossts, multiple malware variants on 10+ hosts; Compromised Data: Data exfiltration, or unauthorized modification of data, external compromise or breach of information with potential legal, privacy, or operational implications; Unauthorized access: Confirmed unauthorized access to one or more privileged accounts; Denial of service: Loss of availability to affected systems demed P1 (Critical Services) Significant user impact resulting in multiple system and service outages; 10 or more sites impacted; Possible loss of critical, private, or proprietary information; Failure to meet internal SLA’s; Need for external crisis communications Operational Impact: Inability to access critical production systems; Customer Impact: Inability to communicate with customers; Regulatory Impacts: Mandatory reporting, regulatory penalties, multiple legal grievances, Maximum regulatory penalties CIRT

Although it may impact some areas of the organization’s business, a High Incident will not have material business and financial impact to the organization. It is still important to resolve the incident as quickly as possible however the impact of not doing so is not significant to the organization’s overall business.
A High Incident that is like previous incidents or that may occur again the future is a candidate for a Standard Incident. Upon completion of the incident, the IT Security Team may choose to complete a Standard Incident template for the incident. Additional details may be found in the Guideline - Standard Incident.

Roles and Responsibilities

  • Responsible: CIRT Lead
  • Accountable: BIRT
  • Consult: CIRT, SMEs
  • Inform: CIRT

CIRT

The CIRT Lead plays a critical role in all major incidents however it is important to note that the primary role of the CIRT Lead is to advise and recommend. The BIRT is accountable for determining the best course of action for the business based on the recommendations provided by the CIRT Lead and any additional information provided by team members.
While team members will be provided with directions by the BIRT, the CIRT Lead, with their better technical understanding, will still provide key guidance to the team members to help them determine how best to meet the objectives given by the BIRT.

BIRT

In the case of a High incident, the BIRT be responsible for determining the business respresentatives required to help with this specific incident.
The CIRT Lead will begin by convening the permanent members first who will then decide to manage the entire incident on their own or which additional members to activate.
All decisions related to what actions to take during a High incident will be made by the BIRT with input from the CIRT Lead and team members.
The CIRT Lead will provide recommendations, but all decisions will be made by the BIRT representative who has a best understanding of the business impact of any action.

Team Members and SMEs

Team members provide the necessary detail to the BIRT Lead to enable them to make decisions regarding what steps should be taken during the containment, eradication, and recovery phases of the incident response. The team members will then be accountable to take steps as directed by the BIRT Lead to accomplish the objectives of the incident response.
The CIRT Lead will provide guidance to the team members to enable them to best achieve the objectives set out by the BIRT Lead, however all actions will be directed by the BIRT Lead.

Purpose

This document outlines the key steps in the High Incident Response process with additional information provided by the guidelines for the key steps of Containment, Eradication, Recovery and Lessons Learned.

Artifacts

Completed Templates (LINKS)

Activities

The primary activities in a High Incident response are: - Activate Incident Response and notify participants - Convene Incident Response teams - Assess the incident - Containment - Eradication - Recovery - Lessons Learned

Activate Security Incident Response

IT Security will notify the CIRT Lead and BIRT Lead to inform them that incident response has been activated and provide details for convening the incident response teams. CIRT Lead and BIRT Leads must also be notified to alert them of the incident. All Leads must confirm receipt of notification and their subsequent participation. If no response is received within 15 minutes, then alternate Leads must be contacted.

Convene Incident Response Teams

The BIRT Lead and CIRT Leads must then follow their own call-out processes to engage their respective team members, ensuring that all parties are available within \. Incident response team members should convene in person in the designated war room if possible. A conference bridge will be started by the CIRT Lead to ensure that all required parties are able to obtain information and participate as required.

Assess Incident

While the incident is already classified as a High Incident, additional information may be required to determine the best course of action.
During this phase, the BIRT Lead must: - Assess the Risk to the Business - Assess Legal Implications - Identify and Communicate with Stakeholders - Assess People Impact

These steps are explained in detail in the Guideline - Incident Classification

Containment

The objective of the Containment phase is to put measures in place to ensure that the situation does not become worse and to prevent an attacker or malware from spreading further.
During this phase:
- The CIRT Lead recommends a containment plan to the BIRT Lead to be reviewed, adjusted, and approved - Legal, People, Safety, Operations, and Regulatory will assist with non-technical containment steps - Team members will stop the attack from proceeding any further with technical guidance from the CIRT Lead and ultimate approval for all actions from the BIRT Lead - Systems will be backed up in their current state and forensic evidence will be preserved where desirable and practicable - The CIRT Lead will notify the Help Desk to ensure that proper direction can be provided to users - The CIRT Lead will coordinate between technical teams to ensure that effort is coordinated, and impacts accounted for - Long term containment will ensure that any vectors used in this attack are closed or defended against future attacks

These steps are explained in detail in the Guideline - Incident Containment

Eradication

Once the threat is contained, all traces of the attacker and related malware must be removed from all of the organization’s systems.
During this phase: - The CIRT Lead recommends an eradication plan to the BIRT Lead to be reviewed, adjusted, and approved - The eradication plan is implemented by IT, legal, people and service providers - Affected systems are recovered from backup and malicious software is removed - Systems and configuration are updated to improve defenses - Recovered systems are scanned for any further vulnerabilities which are removed - Document all steps taken

These steps are explained in detail in the Guideline - Incident Eradication Guideline

Recovery

The objective of the recovery phase is to resume normal business operations and ensure that the systems remain healthy.
During this phase: - The CIRT Lead recommends a recovery plan to the BIRT Lead to be reviewed, adjusted, and approved - All available tests are performed to ensure that the recovered systems are functioning correctly after they have been rebuilt or restored - Communication with identified internal stakeholders ensures that they understand the recovery plan - If necessary, external stakeholders are notified to manage their expectations for recovery - The recovered system is brought online following appropriate change control processes while minimizing impact as much as possible - Monitoring continues and is augmented to ensure that eradication and recovery were fully completed, and the attacker does not return

These steps are explained in detail in the Guideline - Incident Recovery

Lessons Learned

The lessons learned phase completes the documentation of what occurred during the incident and helps to improve incident response capabilities for future incidents.
During this phase:
- A follow-up report is created summarizing what occurred, what worked, what did not and what improvements can be made to the process - All responders will participate in a meeting to discuss the same - Process and documentation are updated based on the learnings - Any other fixes such as changes to technology are implemented

These steps are explained in detail in the Guideline - Lessons Learned

Update Processes and Documentation

When the incident is closed and Lessons Learned are completed, all documentation should be updated based on any findings from the review of the incident.

Version Tracking

Name Description Date
Kenton Smith V1.0 January, 2026