DRAG DROP Drag and drop the NIST incident response process steps from the left onto the actions that occur in the steps on the right. 
Pretty sure this one follows the NIST order: Prepare goes with employee training, Analyze to identifying how/where the breach was hit, Contain is about stopping it from spreading, Eradicate is root cause removal, Recover is restoring ops, and Post-Incident Handling is for improving after. I matched based on that process. Anyone disagree?
- Conduct incident response role training for employees → Prepare
- Determine how the breach was discovered and the areas that were impacted → Analyze
- Determine where it started and prevent spread → Contain
- Eliminate root cause and update system → Eradicate
- Get ops going, prevent recurrence → Recover
- Analyze/document/strengthen after attack → Post-Incident Handling
Nice and clear question layout. Mapping is:
Analyze and document the breach, and strengthen systems against future attacks → Post-Incident Handling
Conduct incident response role training for employees → Prepare
Determine where the breach started and prevent the attack from spreading → Contain
Determine how the breach was discovered and the areas that were impacted → Analyze
Eliminate the root cause of the breach and app updates to the system → Eradicate
Get systems and business operations up and running, and ensure that the same type of attack does not occur again → Recover
