An organization's incident response is conducted by the computer incident response team, a carefully selected group that, in addition to security and general IT staff, may include representatives from legal, human resources, and public relations departments.
According to the SANS Institute, there are six steps
to handling an incident most effectively:
- Preparation: The organization educates users and IT staff of the importance of updated security measures and trains them to respond to computer and network security incidents quickly and correctly.
- Identification: The response team is activated to decide whether a particular event is, in fact, a security incident. The team may contact the CERT Coordination Center, which tracks Internet security activity and has the most current information on viruses and worms.
- Containment: The team determines how far the problem has spread and contains the problem by disconnecting all affected systems and devices to prevent further damage.
- Eradication: The team investigates to discover the origin of the incident. The root cause of the problem and all traces of malicious code are removed.
- Recovery: Data and software are restored from clean backup files, ensuring that no vulnerabilities remain. Systems are monitored for any sign of weakness or recurrence.
- Lessons learned: The team analyzes the incident and how it was handled, making recommendations for better future response and for preventing a recurrence.
This was last updated in August 2005