Which incident response step involves actions to protect critical systems while maintaining business operations?

Containment is the incident response step that directly focuses on protecting critical systems and maintaining business operations. This stage is crucial in preventing further damage during a security incident, ensuring that the impact is minimized, and that essential business processes can continue functioning.

By isolating affected systems, security teams can effectively limit the scope of the incident. This often involves implementing temporary solutions, such as shutting down compromised systems, blocking malicious traffic, or applying patches, while allowing unaffected systems and services to remain operational. The goal is to prevent the spread of the incident and to safeguard invaluable resources until a deeper investigation and recovery can take place.

This differs from other stages in the incident response process. Investigation is primarily focused on identifying the causes and details of the incident. Recovery involves restoring systems and services to normal operation after they have been fixed and secured. The lessons learned phase is all about reflecting on the incident to improve future responses and security measures. Therefore, containment is specifically tailored to deal with immediate risks and protect critical operations during an incident.