CompTIA CySA+ Objective 3.3


Explain the importance of communication during the incident response process.

CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0

Communication is important during an incident response. The stakeholders and types of communication need to be defined before an incident.


Human Resources

HR should provide the following responsibilities in reference to incident response.

  • Develop job descriptions for the security analysts.
  • Create policies and procedures to enforce employee behavior related to cybersecurity.


The legal department should be involved in the following:

  • Review nondisclosure agreements (NDA) for incident response.
  • Develop boiler plate wording for reporting to affected sites and partners.
  • Assess liability for illegal computer activity.


  • Create newsletters and educational materials for employee response training.
  • Coordinate with legal on media responses and internal communications.


  • Communicate the importance of incident response within the organization.
  • Create procedures for incident response team to overrule line of business system decisions
  • Create decision support systems for determining when key systems can be isolated.

Purpose of Communication Processes

Best practices for communication during incident response have been developed.

  • Limit Communication to Trusted Parties: Limit to those cleared before the event and only on a need to know basis.
  • Disclosure Based on Regulatory/Legislative Requirements: Comply with regulations or legal requirements for breach communication.
  • Prevent Inadvertent Release of Information: All stakeholders should prevent releasing information to those not listed in the communication plan.
  • Secure Methods of Communication: All communications must be kept secure. Personal cell phones are ok for voice communication, but all chat, e-mail, etc must be encrypted.

Role-Based Responsibilities

  • Technical: IT and security should recognize, identify and react to incidents and analyze those incidents. They should also be first response and remediation.
  • Management: Back and support the efforts of the IR team.
  • Law Enforcement: May be required or invited. There are some issues to consider:
    • Law Enforcement may want to prolong the attack to gain more evidence.
    • Not all law enforcement has experience with cybercrime investigations.
    • Rule out accidents and hardware/software failures first.
    • In cases of definite illegal activity, immediately involve law enforcement. (ie child porn, and felonies)
  • Retain Incident Response Provider: If the organization doesn’t have the expertise in house, may partner with a provider for incident response.