Investigates suspected attacks. Recognises when an IT network/system has been attacked, e.g. by a remote host or by malicious code such as virus, worm or Trojan etc, or when a breach of security has occurred. Responds to security breaches in line with security policy and records the incidents and action taken. Takes immediate action to categorise and limit damage, according to the organisation’s security policy, which may include escalation to next level, and records the incident and action taken.