The beginning of an incident can be as subtle as a user making a call to the help desk to report a “sluggishness” that cannot be explained on his or her computer or it can be as chaotic as every alarm and pager in the Information Technology department sounding at once. Whether it is noticed by a user or by a detection system, the steps that lead to a successful investigation, containment and resolution to an incident remain the same. The incidents themselves may be as versatile as missing files or a network coming to a crawling stop whether by a deliberate outside influence or a mistake made on the inside of the network. It is an all too common scenario that either has or will face all Information Technology (IT) departments; Incidents will happen, but it is the steps that are taken before an incident occurs that will determine whether a successful and quick resolution take place or a slow and costly battle. Although there is no set standard for incident response, there are a multitude of resources that one can pull from in order to get a general outline of how it should be handled. The best practices seem able to be broken down into 6 steps: Preparation, Identification, Containment, Eradication, Recovery and Follow-up . It is the first step that this paper will deal with in detail, for without this first essential step of preparation the resulting steps themselves could turn chaotic and cause the resolution to be severely delayed. We will first start where all Information Security starts: the policy. The security policy of an organization will define exactly what role the Incident Response Team (IRT) can and will take as well as how they should go about identifying the incident and then from there carry out the steps that should be taken to contain and eradicate the problem. Secondly we will define and discuss the roles that an IRT plays within the organization and steps and actions that should be taken before an incident ever occurs. Lastly we will explore the proper chain of communication that should take place before, during and after an incident to keep all necessary parties informed and involved without causing widespread panic throughout the organization.
This document is in PDF format. To view it click here.