This Content Component encountered an error
Can you provide a sample incident response plan and offer suggestions as to who should be on an incident response team?

Here is a sample incident response plan. I found this at http://csrc.nist.gov/fasp/FASPDocs/incident-response/incident-response.doc.

The incident response team should have someone from senior management, the network administrator, security officer, possibly a network engineer and/or programmer, legal department, and a liaison for public affairs. The purpose of having an incident response team is to ensure that there is a group of people who are properly skilled, who follow a standard set of procedures, and who are singled out and called upon when this type of event takes place.

(In reality, usually the technical team members are called to the scene to carry out their functions and the other team members may be called to update them on the situation and possibly ask them for direction pertaining to specific issues of the situation.)

The team should have proper reporting procedures established, have the ability to provide prompt reaction, have coordination with law enforcement, and be an important element of the overall security program.

When a suspected crime is reported, the incident response team should follow a set of predetermined steps to ensure both uniformity in approach and that no steps are skipped. First, the incident response team should investigate the report and determine that an actual crime has been committed. If the team determines that a crime has been carried out, senior management should be informed immediately. If the suspect is an employee, a human resources representative must be called right away. The sooner the documenting of events begins, the better, so if someone is able to document the starting time of the crime along with the company employees and resources involved, it would provide a good start. At this point, the company must decide if it wants to conduct its own forensics investigation or call in the big guns. If experts are going to be called in, the system that was attacked should be left alone, to try to preserve as much evidence of the attack as possible.

Resources:

http://www.cert.org/csirts/Creating-A-CSIRT.html

csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf

This was first published in November 2005

Dig deeper on Information Security Incident Response-Detection and Analysis

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close