I just got done reading Incident Response (by the guys at Foundstone) and the one thing they wouldn't stop stressing is documentation, documentation, documentation. I think that what sans is right (complete) but I would say that every step has to be documented (not at the end but at the current time as you are doing it). It is a great book and if you are interested in computer forensics and incident response I can't recommend it enough.
Cheers, Leon -----Original Message----- From: Brian E [mailto:[EMAIL PROTECTED]] Sent: Sunday, November 11, 2001 12:22 PM To: [EMAIL PROTECTED] Subject: Incident Lifecycle Mailer: SecurityFocus Anyone have comments about the life cycle of a security incident? SANS describes the lifecycle as: 1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Follow-up Any other models for the lifecycle of a security incident? Regards, Brian
