Note: This page is part of the archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact if you have any questions about the US-CERT website archive.

Incident Management

Even the best information security infrastructure cannot guarantee that intrusions or other malicious acts will not happen. When computer security incidents occur, it is critical for an organization to have an effective means of managing and responding to them. The speed with which an organization can recognize, analyze, prevent, and respond to an incident will limit the damage done and lower the cost of recovery. This process of identifying, analyzing, and determining an organizational response to computer security incidents is called incident management.1 The staff, resources, and infrastructure used to perform this function makeup the incident management capability.

Having an effective incident management capability in place is an important part of the deployment and implementation of any software, hardware, or related business process. Organizations are beginning to realize that communication and interactions between system and software developers and staff performing incident management activities can provide insights for building better infrastructure defenses and response processes to defeat or prevent malicious and unauthorized activity and threats.

This content area defines what is meant by incident management and presents some best practices in building an incident management capability. It also takes a look at one particular component of an incident management capability, a computer security incident response team (CSIRT) and discusses its role in the systems development life cycle (SDLC).