Here is a sample incident response plan. I found this at http://csrc.nist.gov/fasp/FASPDocs/incident-response/...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The incident response team should have someone from senior management, the network administrator, security officer, possibly a network engineer and/or programmer, legal department, and a liaison for public affairs. The purpose of having an incident response team is to ensure that there is a group of people who are properly skilled, who follow a standard set of procedures, and who are singled out and called upon when this type of event takes place.
(In reality, usually the technical team members are called to the scene to carry out their functions and the other team members may be called to update them on the situation and possibly ask them for direction pertaining to specific issues of the situation.)
The team should have proper reporting procedures established, have the ability to provide prompt reaction, have coordination with law enforcement, and be an important element of the overall security program.
When a suspected crime is reported, the incident response team should follow a set of predetermined steps to ensure both uniformity in approach and that no steps are skipped. First, the incident response team should investigate the report and determine that an actual crime has been committed. If the team determines that a crime has been carried out, senior management should be informed immediately. If the suspect is an employee, a human resources representative must be called right away. The sooner the documenting of events begins, the better, so if someone is able to document the starting time of the crime along with the company employees and resources involved, it would provide a good start. At this point, the company must decide if it wants to conduct its own forensics investigation or call in the big guns. If experts are going to be called in, the system that was attacked should be left alone, to try to preserve as much evidence of the attack as possible.
Dig Deeper on Information Security Incident Response-Detection and Analysis
Related Q&A from Shon Harris
When it comes to firewalls, the networking group often handles the installation, while the information security department writes the rules. Should ...continue reading
In today's security world, it's hard to keep track of each and every management standard and auditing procedure. In this SearchSecurity.com Q&A, ...continue reading
Before you begin putting the pieces of your security program together, you may want to have a look at ISO 27001. In this expert Q&A, Shon Harris ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.