should be defined in advance. planning, preparation for quick & successful response to security incident

business continuity plan for natural disaster which is less likely than security incident.

3 response philosophies:
1. watch & warn: passive, no action taken except notification. simple
2. repair & report: attempt to close the incident quickly, automatically. Block the attack, repair the vulnerability, disconnect & clean affected systems.
3. pursue & prosecute: collect evidence, law & legal involvement. determine attack origin. involves other organizations (ISPs, telephone)

Incident reponse plan: make management procedures & responsibilities to ensure a quick, effective, orderly response to security incidents.
Documentation of intruder & responder activities.
Determination that incident is underway.
Notification of appropriate personnel.
Containment: minimizing impact of incident is primary goal of response plan.
Assessment of scope of damage to isolate compromised systems & data.
Eradication of cause.
Recovery: return to normal state. patch vulnerability, restore backup.