[Kelly Crooks]

The first step in the identification of an incident is receiving. In this step, the system is implemented to watch and collect information. The examiner needs to identify areas where there is little or no monitoring of the system but where visibility of the system exists. The system needs to have sensors implemented to receive and collect data on those areas and vulnerabilities. The sensors can be either electronic or human.

The second step in the identification of an incident is collection. In this step, there is a need for a centralized collection to gather and facilitate analysis of the data and information collected. The system should be designed to accept data from all of the sensors that you have in place. The collection process includes being able to accept data from not only the electronic sensors but manual and human sensors as well.

The third and final step in the process of identification of an incident is to analyze all of the data collected. You need to determine where the incident started and how to stop it. You need to stop the incident from continuing or happening again before you start to analyze the data. The analysis is automated and alerts to any problems in the data or how and where the incident started. In this process, you need the ability to analyze all the complied data from the system and human input and be able to determine any false positives that occurred. The analysis process includes the ability to collect, manage and archive the events that took place during the incident. The last step in the analysis process is to extract the data and report the findings to the appropriate departments or individuals.