Developing an incident response plan

BROWSE BY TAG Expert Archive: Security Management,   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Information Security Incident Response,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Expert Archive: Security Management What is the GISP certification and how does it compare to the CISSP certification? Using a QSA to write up a PCI DSS report on compliance (ROC) How can gap analysis be applied to the security SDLC? Comparing cheap security products and appliances to costly appliances What are some tips on protecting my security budget in a poor economy? What value do research firms provide to their subscribing enterprises? What certificate offers the best ROI for an IT project manager? Is insider activity or outsider activity a bigger enterprise threat? How does information security prevent fraud in the enterprise? Differences between an SAS 70 data center and a Tier III data center Information Security Incident Response Data breach notification legislation: What info must be released? Incident response planning Mature SIMs do more than log aggregation and correlation New partnerships, creative thinking help security bust recession Senators hear call for federal cybersecurity restructuring Tying log management and identity management shortens incident response Tabletop exercises sharpen security and business continuity Security incident response 101 Firms muddle security breach response, expert says Microsoft Conficker worm offers attack prevention lesson Information Security Incident Response Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary incident response  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Here is a sample incident response plan. I found this at http://csrc.nist.gov/fasp/FASPDocs/incident-response/incident-response.doc.

The incident response team should have someone from senior management, the network administrator, security officer, possibly a network engineer and/or programmer, legal department, and a liaison for public affairs. The purpose of having an incident response team is to ensure that there is a group of people who are properly skilled, who follow a standard set of procedures, and who are singled out and called upon when this type of event takes place.

(In reality, usually the technical team members are called to the scene to carry out their functions and the other team members may be called to update them on the situation and possibly ask them for direction pertaining to specific issues of the situation.)

The team should have proper reporting procedures established, have the ability to provide prompt reaction, have coordination with law enforcement, and be an important element of the overall security program.

When a suspected crime is reported, the incident response team should follow a set of predetermined steps to ensure both uniformity in approach and that no steps are skipped. First, the incident response team should investigate the report and determine that an actual crime has been committed. If the team determines that a crime has been carried out, senior management should be informed immediately. If the suspect is an employee, a human resources representative must be called right away. The sooner the documenting of events begins, the better, so if someone is able to document the starting time of the crime along with the company employees and resources involved, it would provide a good start. At this point, the company must decide if it wants to conduct its own forensics investigation or call in the big guns. If experts are going to be called in, the system that was attacked should be left alone, to try to preserve as much evidence of the attack as possible.

Resources:

http://www.cert.org/csirts/Creating-A-CSIRT.html

csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf