An incident management policy (IMP) is one element of an effective incident management program. The following tip on what to include in your policy is excerpted from
an article on incident management published by our sister publication Information Security magazine.
An effective incident management program must assign responsibilities and specify routine procedures in the event of an incident. The goal of incident management planning is to predetermine necessary actions and responses to specific classes of incidents, so that no one is expected to make decisions under pressure with minimal information.
Your first step is to create an incident management policy that clearly defines:
- What incidents are covered. For example, you may choose to omit low-level events from your plan: a minor policy violation, such as a user loading a game on his desktop or using an instant messaging app; a virus infection of one or two machines.
- Who is responsible for detection and reporting? Is detection of an attack a networking or infosecurity responsibility? Is IT or the business unit -- or both -- responsible for reporting?
- Who is responsible for business decisions related to the incident? Do you shut down the Web server? Is that a line manager's decision or the unit's senior VP?
- Who is responsible and accountable for ensuring timely recovery from an incident? IT personnel, yes, but someone on the business-side needs to be working with them and may have overall responsibility for getting back on line.
Next, getting down to brass tacks, your computer incident response team (CIRT) policy should specify first responders, responsibility for management of the response to a specific incident, and follow-up and reporting responsibilities. That's the mostly-technical first part of a more detailed and comprehensive IMP.
Besides the MIS and network technical staff who are first responders, who should be part of the IMP? At the very least: risk management, corporate legal, corporate security, public relations, human resources and labor relations, the office responsible for regulatory compliance, and all major business units with oversight and advisory responsibility.
This is a primary reason for locating the IMP as high in the organization as possible. None of those offices report to IT or the information security office (ISO), and the IT organization can't mandate and ensure their cooperation and participation.
Further, while initial response in many cases will be technical, IT staff can't make decisions in a vacuum. If a security incident requires taking the entire corporate network or a significant portion of it offline for a period of time, is that a decision the network security officer should be making on his own at 5 a.m.? If criminal or actionable activity is discovered or suspected, do you want a harried sysadmin deciding to call law enforcement and taking necessary steps to preserve critical evidence?
If a security breach is severe enough to require public disclosure, who determines that and who speaks for the organization? California's Database Security Breach Notification Act (SB 1386), which went into effect last July, requires companies to inform California customers of incidents involving the compromise of their names in combination with their Social Security, driver's license or credit card numbers. Someone other than the manager of database administration will need to decide to call the newspaper and/or send out notices to your customers, but who?
If an employee in the accounting office or a sales manager in the field is suspected of compromising the system or abusing company policy in a way that has an operational impact, you can't expect the MIS department to initiate disciplinary action. And, you won't want the infosecurity admin deciding to file a Suspicious Activity Report (SAR) for a regulated financial institution.
About the author
Fred Trickey, CISSP, is information security administrator at Yeshiva University in New York.
FOR MORE INFORMATION
- Read the Information Security magazine article Are you prepared? for a business blueprint for an effective incident management program.
- Peruse a collection of resources on incident response in this SearchSecurity Featured Topic.
This was first published in January 2004