CPA Exam Lab
All patterns
Security and system resilience

The Incident Playbook

Run the incident lifecycle in order: detect, contain, eradicate, recover, then learn, and keep the forensic chain of custody intact.

How the exam words it

The playbook

  1. 1Follow the lifecycle order: prepare, detect and analyze, contain, eradicate, recover, then hold a lessons-learned review; contain the spread before removing the cause.
  2. 2Distinguish the tools: a SIEM aggregates and correlates logs, an IDS detects and alerts only, and an IPS detects and actively blocks.
  3. 3Preserve evidence with an unbroken chain of custody, documenting who handled it and when so it stays admissible.
  4. 4Close with lessons learned, updating controls and the response plan so the same incident does not recur.

The trap

Eradicating or rebuilding before containing the incident. Containment comes first to stop the spread; only then do you eradicate the cause and recover the systems.

How the exam varies it

The same pattern, re-skinned along these axes:

Incident lifecycle phase orderingMonitoring tool: SIEM versus IDS versus IPSEvidence handling and chain of custody versus the lessons-learned phase

Drill this pattern

8 questions of The Incident Playbook from across the AUD topics. Clear it by getting 5 right with a streak of 3.

Shows up in 1 ISC topic