5.4 Map elements to these steps of analysis based on the NIST.SP800-61
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
🔷 1. What is “Preparation” in Incident Response?
In the NIST SP 800-61 Incident Response Lifecycle, Preparation is the first phase.
✔ Definition:
Preparation is the process of getting everything ready before a security incident occurs.
The goal is to ensure that:
- The organization can detect incidents quickly
- The team can respond effectively
- Damage can be minimized
🔷 2. Why Preparation is Important
Without preparation:
- Incidents are detected late
- Response becomes slow and unorganized
- More systems may be affected
- Recovery takes longer
✔ Key Idea:
👉 Good preparation = faster detection + faster response + less damage
🔷 3. Key Elements of Preparation (Exam Focus)
You must know how to map these elements to the Preparation phase.
🔹 3.1 Policies, Plans, and Procedures
These define how incident response is performed.
✔ Includes:
- Incident Response Policy
- Incident Response Plan (IRP)
- Standard Operating Procedures (SOPs)
✔ Purpose:
- Defines roles and responsibilities
- Explains how incidents are handled
- Ensures consistency
✔ Example (IT-focused):
- A document that defines how to respond to a malware alert on a server
🔹 3.2 Incident Response Team (IRT)
A group responsible for handling incidents.
✔ Includes:
- Security analysts
- Incident responders
- IT administrators
- Management
✔ Responsibilities:
- Monitor alerts
- Investigate incidents
- Contain threats
✔ Key Exam Point:
👉 The team must be trained and clearly assigned roles
🔹 3.3 Training and Awareness
All staff must understand security basics.
✔ Includes:
- Security awareness training
- Incident response drills
- Technical training for analysts
✔ Purpose:
- Helps users identify suspicious activity
- Helps analysts respond correctly
🔹 3.4 Communication Plan
Defines how information is shared during incidents.
✔ Includes:
- Internal communication (teams, management)
- External communication (vendors, authorities)
✔ Key Points:
- Clear communication channels
- Escalation paths
- Contact lists
🔹 3.5 Tools and Technology
Tools are required to detect, analyze, and respond to incidents.
✔ Examples:
- SIEM (Security Information and Event Management)
- IDS/IPS (Intrusion Detection/Prevention Systems)
- Antivirus/EDR tools
- Log management systems
✔ Purpose:
- Monitor systems
- Generate alerts
- Support investigation
🔹 3.6 Logging and Monitoring
Systems must generate and store logs.
✔ Includes:
- System logs
- Network logs
- Application logs
✔ Purpose:
- Detect suspicious activity
- Support forensic analysis
✔ Key Exam Point:
👉 Logs must be collected, stored, and protected
🔹 3.7 Asset Management
Know what exists in the environment.
✔ Includes:
- Hardware inventory
- Software inventory
- Data classification
✔ Purpose:
- Identify affected systems during incidents
- Prioritize critical assets
🔹 3.8 Access Control and Security Measures
Security controls must already be in place.
✔ Includes:
- Authentication mechanisms
- Authorization policies
- Network security controls
✔ Purpose:
- Reduce the risk of incidents
- Limit impact if an incident occurs
🔹 3.9 Backup and Recovery Strategy
Ensures data can be restored.
✔ Includes:
- Regular backups
- Backup testing
- Recovery procedures
✔ Purpose:
- Restore systems after an incident
- Reduce downtime
🔹 3.10 Incident Classification and Prioritization Criteria
Defines how incidents are categorized.
✔ Includes:
- Severity levels (low, medium, high)
- Impact definitions
- Response priorities
✔ Purpose:
- Helps decide how quickly to respond
- Ensures proper resource allocation
🔹 3.11 Legal and Compliance Considerations
Organizations must follow laws and regulations.
✔ Includes:
- Data protection laws
- Evidence handling procedures
- Reporting requirements
✔ Purpose:
- Avoid legal issues
- Ensure proper handling of sensitive data
🔷 4. Mapping to Preparation Phase (Very Important for Exam)
You may get questions asking:
👉 “Which of the following belongs to the Preparation phase?”
✔ All of the following map to Preparation:
- Incident response policy
- Incident response team setup
- Training programs
- Security tools deployment
- Logging configuration
- Communication plans
- Backup strategies
- Asset inventory
- Security controls implementation
🔷 5. Characteristics of Good Preparation
A well-prepared organization has:
- ✔ Documented processes
- ✔ Skilled incident response team
- ✔ Proper tools installed and configured
- ✔ Continuous monitoring
- ✔ Regular testing and improvement
🔷 6. Common Mistakes (Exam Insight)
Avoid confusion with other phases:
❌ Not Preparation:
- Investigating alerts → Detection & Analysis
- Stopping an attack → Containment
- Fixing systems → Eradication/Recovery
✔ Preparation = Before incident happens
🔷 7. Simple Summary (For Quick Revision)
✔ Preparation means:
- Getting ready before incidents occur
✔ It includes:
- Policies and plans
- Trained team
- Tools and monitoring
- Logging and backups
- Communication and procedures
✔ Goal:
👉 Be ready to detect and respond quickly
🔷 Final Exam Tip
If a question describes:
- Setting up tools
- Writing policies
- Training staff
- Creating response plans
👉 The correct answer is Preparation phase
