2. Explain when a cyber security incident response plan is used (AC 1.2)

IRP is used during before, during and after an incident. Before an incident IRP can be used during simulated exercises (such as table top) as a way of training everyone involved during a real attack. This exercise can involve people from various departments, such as: Incident Response team, IT, senior management, legal, PR, HR and insurance. Simulating an incident is a great way to make sure your IRP works the way it's intended and that everyone knows what their roles are and how to proceed under pressure of a real attack. During an incident This is where all your training pays off. Use the IRP to follow all the steps outlined. Contact the right people, do all the necessary checks, mitigate the threat in an effective way. After an incident A good IRP should have steps you can follow after you've mitigated the threat. A post-mortem or an after-action should be conducted to find out what exactly went wrong, and what went right. Learn from your actions and implement these into the next iteration of your IRP. You can have a post-incident meeting, where you invite everyone affected by the incident and discuss what could be improved for next incident.