|    |    |    |    |
| --- | --- | --- | --- |

  

* * *

[[_TOC_]]

* * *

  

\[Customer\] Incident Response (IR) process will be aligned with the NIST 800-61, which includes the following four stages:

1.  Preparation
2.  Detection & Analysis
3.  Containment, Eradication and Recovery
4.  Post-Incident Activity

 ![](/.attachments/DK-Security/image2019-7-19_11-14-24.png)

These stages outline the steps necessary to ensure the effective response and handling of security incidents that affect the availability, integrity, or confidentiality of \[Customer\] information assets. In addition, the process will ensure information security events, incidents, and vulnerabilities associated with information assets and information systems are communicated in a manner that enables timely corrective action. These stages align to Well-Architected best practices, including the identification of key personnel for incident response, the pre-provisioning of access and tools for security personnel, and running game day events.

This document will cover each of the four main response activities shown in the above figure and describe the actions that \[Customer\] needs to take to be able to execute this process when using AWS as the service provider. Each incident will be rated using a risk-based approach focused on current and potential impact on or threat to the operation or integrity of the institution and its information; different severity will require different handling and escalation procedures, which are captured in the _\[Customer\] IT Security Incident Reporting and Response Policy (or any other doc)_. Depending on the nature of the incident, the forensics step may not be required in every scenario.

  

For Ozone implementations, playbooks in this section apply to non-Ozone managed accounts only.

 **Attachments:**