THE SANS INSTITUTE'S SIX-STEP GUIDE TO HANDLE AN INCIDENT:

​

1. PREPARATION – Educate users and IT staff of the importance of updated security measures and trains them to respond to computer and network security incidents quickly and correctly.
    

2. IDENTIFICATION – The response team is activated to decide whether a particular event is, in fact, a security incident.
    

3. CONTAINMENT –  The team determines how far the problem has spread and contains the problem by disconnecting all affected systems and devices to prevent further damage.
    

4. ERADICATION – The team investigates to discover the origin of the incident. The root cause of the problem and all traces of malicious code are removed.
    

5. RECOVERY – Data and software are restored from clean backup files, ensuring that no vulnerabilities remain.
    

6. LESSONS LEARNED – The team analyzes the incident and how it was handled, making recommendations for better future response and for preventing a recurrence.