The topic for day 18 of the Cyber Security Awareness Month is a subject that happens frequently in many organizations...information security incidents. Many companies have formal information security incident response teams, which help the organization to diminish the impact of incidents on the organization. One fundamental element of any information security response plan has to be the information given to your boss during the crisis. Let's take a look at the incident response lifecycle diagram:
Source: Special Publication 800-61 ComputerSecurity Incident Handling Guide page 3-1
Preparation: When the team is preparing for an incident, you must determine what incidents are most likely to occur inside the organization. Risk analysis is crucial to determining those incidents that are likely to happen to the information assets of the company. With your boss you should identify those risks that the company is willing to take and those that will not take. Management should have a clear perspective that each risk he decides to accept for the company may represent a future incident for which the company must be prepared. Here is where you should prepare the elements required to respond to potential incidents it they occur, as well as technical and procedural elements, organizational skills and above all the procedures that regulate the operation of the incident response team.
Detection and Analysis: There are several ways in which the incident response team can detect a security incident, such as alerts from monitoring systems, reports from employees or even reports from your own boss. In any of the above cases there will be tremendous pressure from the complainants to know what had happened and to take action against those responsible for the events. When you decide to give the official report to your boss, do so only if it is truthful and accurate information about what happened ,not speculation and assumptions, as much of this information may be used in legal proceedings or meetings with senior management, where any comments you make will be taken as absolute truth.
Containment, eradication and recovery: Once it is determined that the events constitute an information security incident, make an objective assessment of the situation, define a strategy of containment, eradication and recovery that is compatible with corporate strategies and present to your boss a work plan that takes a pessimistic view of the task duration, enabling you to respond to contingencies that may arise. When we talk about the compatibility of this plan with corporate strategy it is important to consider the following variables according to the company's objectives: potential damage of resources, need for evidence preservation, service availability, time and resources needed to implement the strategy, effectiveness of the strategy and the duration of the solution. Before you begin execution of the plan, make sure your boss agrees with it and keep him informed of critical issues you might have. He will be your main support during the execution of this plan and you want to keep him focused on the parts where you need support.
Post-incident activity: Once the containment, eradication and recovery of the incident have, meet with your boss and other stakeholders and discuss the lessons learned and devise recommendations to prevent occurrence of similar events and respond more effectively to such events in the future. The idea is to maintain the commitment from your boss to the information security process and all incidents that might occur in the future.
Do you havemore recommendations? Feel freeto page ushere. I will be updating the diary with all your input.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.