IT Examiner School - Oct 2025

Internal Use Only

NIST vs. SANs IRP Process

NIST

SANS

1.Preparation 2.Detection & Analysis 3.Containment, Eradication & Recovery 4.Post-Incident Activity

1.Preparation 2.Identification 3.Containment 4.Eradication 5.Recovery 6.Lessons Learned

Internal Use Only

71

Internal Processes to Identify and Respond

Roles, responsibilities, and authorities, such as which roles have the authority to confiscate, disconnect, or shut down technology assets

Guidelines for prioritizing incidents, estimating their severity, initiating recovery processes, maintaining or restoring operations, and other key actions

Definition of events, cybersecurity incidents, investigations, and related terms

Performance measures