Domain 2

Incident Response, Business Continuity and Disaster Recovery Concepts
Published

May 23, 2026

Security prefessionals play the role of first responders. Understanding incident response starts with knowing the terms used

Incident terminology

  • Breach - Loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or similar occurrence.
  • Event - Any observable occurrence in a network or system.
  • Exploit - Method or code used to take advantage of a vulnerability.
  • Incident - Security event requiring investigation or response.
  • Intrusion - Unauthorized access to or activity within a system.
  • Threat - Anything with the potential to cause harm by exploiting a vulnerability.
  • Vulnerability - Weakness that can be exploited.
  • Zero day - Vulnerability unknown to the vendor or without an available fix.
  • CIRTs - computer incident response teams
  • CSIRTs - computer security incident response teams.

Incident Response

Process of preparing for, detecting, containing, eradicating, and recovering from security incidents while prioritizing safety and minimizing business disruption. The incident response policy should reference a response plan that all employees follow based on their role.

Lifecycle

  1. Preparation
  2. Detection & Analysis
  3. Containment, Eradication & Recovery
  4. Post-Incident Activity
  5. Continuous Improvement (repeat cycle)

1. Preparation

  • Develop and maintain a management-approved policy
  • Identify critical systems and data
  • Define roles, responsibilities, and incident response team
  • Train staff and run incident simulations
  • Establish communication channels and backups (assume some may fail)
  • Practice incident identification and reporting

2. Detection & Analysis

  • Monitor systems and potential attack vectors
  • Validate and analyze suspected incidents
  • Classify and prioritize incidents by impact and severity
  • Standardize documentation and logging of incidents ## 3. Containment, Eradication & Recovery
  • Collect and preserve evidence
  • Apply containment strategy to limit spread
  • Identify root cause and attacker activity (if possible)
  • Remove threat (eradication) and restore affected systems
  • Return systems to normal operation safely

4. Post-Incident Activity

  • Preserve and manage required evidence
  • Document timeline, actions, and outcomes
  • Conduct post-mortem / lessons learned review
  • Identify improvements for processes, tools, and training

Business Continuity Plan

A Business Continuity Plan (BCP) defines the procedures and resources required to maintain or restore critical business operations during and after a disruptive event.

To support business continuity, a hard copy of the plan is maintained. In addition, a printed copy, referred to as the Red Book, is entrusted to a designated individual outside the organization and stored at a separate location. This ensures that critical information, such as emergency contacts, recovery procedures, and key operational instructions, remains accessible if company premises, IT systems, or electronic records become unavailable due to events such as natural disasters, fires, power outages, or cyberattacks.

This outside location can be the CEO’s home, a bank safe deposit box or even a professional records storage company.

No matter how many times they have flown, without fail, pilots go through a checklist before take-off. Similarly, there must be established procedures and a thorough checklist so that no vital element of business continuity will be missed. This plan would contain for example:

  • multiple contact methodologies
  • backup numbers for personnel and critical customers
  • Location of backup systems
  • outsourced partners (data centers, registrars, etc. ) contacts
  • Step-by-step incident response procedures and priorities
  • etc.

Disaster recovery planning

Disaster recovery planning steps in where business continuity (BC) leaves off. It can be multiple documents designed differently depending on target audience.

  • Executive summary providing a high-level overview of the plan
  • Technical guides for IT personnel responsible for implementing and maintaining critical backup systems
  • Full copies of the plan for critical disaster recovery team members
  • Department-specific plans
  • Checklists for certain individuals (tech guidelines for IT personnel, checklists for disaster recovery team to deal with chaos, high level documents for management, …)

When a disaster strikes or an interruption of business activities occurs, the disaster recovery plan (DRP) guides the actions of emergency response personnel until the end goal is reached—which is to see the business restored to full last-known reliable operations.

A robust disaster recovery strategy requires more than maintaining recent backups. In one hospital incident, a cyberattack remained undetected for over eight months, allowing malware to infect backup data. As a result, the organization had to restore systems from backups nearly a year old and carefully recover newer data to avoid reinfection. This demonstrates the importance of maintaining multiple backup generations with appropriate retention periods.

Disaster recovery planning must also account for dependencies between systems. In complex environments, data is often shared across multiple applications and databases. Understanding how information flows between systems and documenting these relationships is essential to ensure a successful and complete recovery following a major incident.