of responders, and then those people will call the next tier and so
            on.



            Containment
            Containment prevents the expansion and increase in damage
            caused by the incident. The containment strategy attempts to
            respond quickly to an incident and ensure that the incident will
            affect as few departments, networks, people, and systems as
            possible while minimizing the financial and reputational cost.
            A common containment strategy is to isolate affected systems or
            networks. This requires preparation to know which systems can
            be isolated, what the impact of the isolation would be on other
            systems or business operations, and how to isolate a system
            effectively.

            The primary goal of the organization is usually to recover as
            quickly as possible and get back up and running with minimal
            impact, but this may be difficult where the incident involves law
            enforcement or other investigators. Their objective is to gather
            evidence, and the recovery of systems may damage evidence
            that may be needed for further investigation.

            A challenge with any incident is the breakdown of normal
            controls. In normal circumstances, there is a separation of duties
            and precautions to protect sensitive information or protect
            against unauthorized changes. However, in a crisis, many of
            those controls may be removed. Administrators may be able to
            make changes without peer review, external parties may be
            accessing the facility, and confidential documents may be
            exposed. This increases the need for appropriate security
            controls to be in place immediately following a disaster.