The following excerpt is from Chapter 8, The Puzzle in Action of The Effective Incident Response Team, written by Julie Lucas and Brian Moeller and published by Addison-Wesley. Read the entire chapter here (Chapter 8 begins on page 17).
In the simplest form, everything with computers can be broken down
into ones and zeros. Similarly, computer security initiatives should always
be able to be broken down into their simplest form, policies. Policies
identify what is authorized and what is not, assign organizational
responsibilities, communicate acceptable levels of risks and much
more. The policies may be expanded in the form of procedures, which
provide the step-by-step guidelines for putting the policies into action.
From there, it's a matter of implementing and configuring systems
appropriately, purchasing and adding security tools to monitor and
safeguard the systems, and training and authorizing end users to use
the resources appropriately.
When the policies and procedures are violated, then a computer
incident (e.g., unauthorized access, denial of service) may have
occurred. To detect and respond to these violations of the organization's
security policies, incident response policies and procedures
should be in place. These policies may be in the form of stand-alone
documentation, or they may be incorporated into other documentation
such as company security policies or disaster recovery plans.
NOTE: Unfortunately, not all organizations have existing computer
security policies. Many people view the writing of a security
policy as a huge undertaking that is nearly impossible
to accomplish. Depending on the level of support from upper
management, the task may be more daunting to complete in
some organizations as compared to others. In the ideal situation,
the organization has a security policy and is serious about
covering all facets of the security equation. If the organization
does not have existing policies, however, this omission should
not stop the development of a CIRT. Ideally the organization
will develop security policies in the near future or simultaneously
as the CIRT is developed, but policies should not be
viewed as a mandatory requirement for the formation of a
CIRT.
This chapter focuses on the operational aspects of computer
incident response. Considerations that should be given to specific
incident-handling procedures will be described in detail, as will the
lifecycle of an incident. The information provided in this chapter can,
in turn, be used to write computer incident policies and procedures.
Together, these policies and procedures complete the incident response
puzzle by filling in the center piece. Because computer security
begins with policies, what better place to envision this piece of the
puzzle than in the center where it belongs.
>> Read the rest of Chapter 8 of The Effective Incident Response Team (Scroll to page 17 of the PDF).
ABOUT THE BOOK
Summary
When an intruder, worm, virus or automated attack persists in targeting a computer system, having specific controls in place and a plan of action for responding to the attack or computer incident can greatly reduce the resultant costs to an organization. The implementation of a Computer Incident Response Team, whether it's formed with internal or external resources, is one safeguard that can have a large return on investment during a crisis situation. This book serves as a guide to anyone contemplating or being tasked with forming a Computer Incident Response Team. The creation of such a team is not a trivial matter and there are many issues that must be addressed up front to help ensure a smooth implementation. This book will try to identify most of these issues to help with the creation process. Once the team is formed and operational, this guide will continue to serve as a resource while the team evolves to respond to the ever-changing types of vulnerabilities.
Authors
Julie Lucas, CISSP, is the Security Practice Director at Global Network
Technology Services in Columbus, Ohio. As the director, she designs and
implements their computer security service offerings. Prior to GNTS, she became the first Naval Computer Incident Response Team (NAVCIRT) officer. She developed the NAVCIRT into a world-class incident response team responsible for detecting and reacting to computer security threats on Navy and Marine Corps systems worldwide. Brian Moeller, CISSP, is a Firewall and Network Security Consultant for the Ohio State University Network Security/Incident Response Team.
