There are many incident management models, but all share some basic characteristics. They all require that we identify the event, analyze it to determine the appropriate counteractions, correct the problem(s), and, finally, keep the event from happening again. (ISC)2 has broken out these four basic actions and prescribes seven phases in the incident management process: detect, respond, mitigate, report, recover, remediate, and learn.
An event is any occurrence that can be observed, verified, and documented, whereas an incident is one or more related events that negatively affect the company and/or impact its security posture.
The incident response policy should be clear and concise.
All organizations should develop an incident response team, as mandated by the incident response policy, to respond to the large array of possible security incidents. The purpose of having an incident response team is to ensure that there is a group of people who are properly skilled, who follow a standard set of procedures, and who are singled out and called upon when this type of event takes place.
Incident management includes proactive and reactive processes. Proactive measures need to be put into place so that incidents can actually be detected in a controllable manner, and reactive measures need to be put into place so those incidents are then dealt with properly.
There are three different types of incident response teams that an organization can choose to put into place. A virtual team is made up of experts who have other duties and assignments within the organization.a permanent team of folks who are dedicated strictly to incident response can be cost prohibitive to smaller organizations. The third type of incident response team is a hybrid of the virtual and permanent models.
The incident response team should have the following basic items available:
- A list of outside agencies and resources to contact or report to.
- An outline of roles and responsibilities.
- A call tree to contact these roles and outside entities.
- A list of computer or forensic experts to contact.
- A list of steps to take to secure and preserve evidence.
- A list of items that should be included in a report for management and potentially the courts.
- A description of how the different systems should be treated in this type of situation.
When a suspected crime is reported, the incident response team should follow a set of predetermined steps to ensure uniformity in their approach and make sure no steps are skipped.
First, the incident response team should investigate the report and determine that an actual crime has been committed.
An incident response team should draft and enforce a basic outline of how all incidents are to be handled.
Incident handling should be closely related to disaster recovery planning and should be part of the company’s disaster recovery plan, usually as an appendix.
Incident handling should also be closely linked to the company’s security training and awareness program to ensure that these types of mishaps do not take place.
Employees need to know how to report an incident.
The incident response policy should also dictate how employees should interact with external entities, such as the media, government, and law enforcement.
A sound incident-handling program works with outside agencies and counterparts.
Detection
The first and most important step in responding to an incident is to realize that you have a problem in the first place.