Containment, Eradication and Recovery

This is the point where most guides get thin on information. This part is hard and really specific to a company. This is also where you find out that the policies and procedures you thought in theory are failing in practice. Recovering from a backup sounds good, but the backup might be encrypted, data can have become corrupted, systems might be unrecoverable from backup due to other technical constraints.

Think of who you need during this stage of the incident. Maybe your company only has one or two IT staff, can they handle an incident by themselves? Are there suppliers you can call?

In this part of the process, communication is also really important.