Manage Learn to apply best practices and optimize your operations.

Developing an incident response plan

In this Ask the Expert Q&A, Shon Harris provides resources you can use to devise an effective incident response plan.

Can you provide a sample incident response plan and offer suggestions as to who should be on an incident response team?

Here is a sample incident response plan. I found this at http://csrc.nist.gov/fasp/FASPDocs/incident-response/...


The incident response team should have someone from senior management, the network administrator, security officer, possibly a network engineer and/or programmer, legal department, and a liaison for public affairs. The purpose of having an incident response team is to ensure that there is a group of people who are properly skilled, who follow a standard set of procedures, and who are singled out and called upon when this type of event takes place.

(In reality, usually the technical team members are called to the scene to carry out their functions and the other team members may be called to update them on the situation and possibly ask them for direction pertaining to specific issues of the situation.)

The team should have proper reporting procedures established, have the ability to provide prompt reaction, have coordination with law enforcement, and be an important element of the overall security program.

When a suspected crime is reported, the incident response team should follow a set of predetermined steps to ensure both uniformity in approach and that no steps are skipped. First, the incident response team should investigate the report and determine that an actual crime has been committed. If the team determines that a crime has been carried out, senior management should be informed immediately. If the suspect is an employee, a human resources representative must be called right away. The sooner the documenting of events begins, the better, so if someone is able to document the starting time of the crime along with the company employees and resources involved, it would provide a good start. At this point, the company must decide if it wants to conduct its own forensics investigation or call in the big guns. If experts are going to be called in, the system that was attacked should be left alone, to try to preserve as much evidence of the attack as possible.




This was last published in November 2005

Dig Deeper on Information Security Incident Response-Information