- Lock-down: Perform the actions necessary to prevent further data loss or damage to the organisation and mitigate business risks;
- Preserve Evidence: Forensically capture data on compromised or affected systems, document the data breach;
- Investigate Incident: Use forensic and information security tools to determine the source of an attack, understand the threat actor’s motivations and attempt to identify the perpetrator;
- Management Report: Provide a full log of investigation undertaken, the results of this investigation and provide policy and technical remediations where necessary.