According to the U.S. Department of Homeland Security (DHS), the purpose of the Incident Response Checklist and Cycle (that is, the period between when an incident is identified and when it is resolved and reported) is twofold: to minimize damage and exposure (that is, risk mitigation) as well as to facilitate an effective recovery. Moreover, within the risk mitigation goal, a hierarchy of priorities is suggested, arranged from higher to lower priorities and including the following: human life and safety; sensitive or mission-critical systems and information; other systems and information; damage to systems or information; and disruption of access or services.
The items on the checklist include a series of sequential, high-level steps grouped into three phases: (1) Detection, Assessment, and Triage (for which the objective is to limit the risk and damage in such a way that if the problem does escalate, investigation can proceed promptly and with evidence intact); (2) Containment, Evidence Collection, Analysis, and Investigation; and (3) Remediation, Recovery, and Post-Mortem. Based on this three-phase scheme, the Department of Homeland Security’s recommended steps are as follows:
U.S. Department of Homeland Security. Incident Handling Checklists. [Online, 2004.] U.S. Department of Homeland Security Website. http://www.fedcirc.gov/ incidentResponse/IHchecklists.html.