To keep its incident response capability aligned with the constantly changing threat landscape, what ongoing activity should an organization perform with its incident response plan (IRP)?
Place the IRP in long-term archival storage and retrieve it only after a critical breach has occurred.
Publish the IRP publicly on the organization's website so external researchers can suggest improvements.
Reassign all tasks in the IRP to a single systems administrator to streamline coordination.
Schedule and conduct regular tabletop or live exercises, then revise the IRP based on identified gaps.
An incident response plan is a living document. Best-practice frameworks such as NIST SP 800-61 recommend running periodic tabletop or live exercises, capturing lessons learned, and revising the plan accordingly. This continuous cycle validates procedures, updates contact lists, and incorporates new threat intelligence. Simply archiving the plan, consolidating all duties under one person, or publishing it publicly do not ensure that the plan will work when needed and may introduce additional risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why are tabletop or live exercises important for an incident response plan?
Open an interactive chat with Bash
What is NIST SP 800-61, and how does it guide incident response planning?
Open an interactive chat with Bash
What types of gaps can be identified during periodic IRP exercises?