Chapter 24. Reactive Security

Even though you cannot predict what kind of security incident you may fall victim to, you can prepare for the type of outage you might experience and plan your response. Your response to a security incident should be planned well in advance of any need for it. It should be a part of your information security policy or disaster plan. All business implications should have been evaluated and a policy based on business decisions should have been created. How security incidents are handled can have a profound effect on the company. No plan can handle every contingency. However, a general plan can be developed that can handle the majority of incidents.

Preparation is critical to a quick and successful response. While your system is under attack is no time to be trying to make business decisions on what you should do. And it is even a worse time to be creating policies and procedures, which is exactly what you will be doing by default.

Organizations generally spend a significant amount of time and money in the preparation of a business continuity plan that addresses natural disasters. However, it is unlikely that this plan adequately prepares for a disaster caused by a security incident, which is much more likely than a tornado , earthquake, fire, or flood. An incident response plan is a key element of the business continuity plan and requires the same level of attention. This means the same level of preparation and testing. An untested plan is only slightly better than no plan at all. If you haven't tested the plan, you have no assurance that it will be beneficial in the case of a security incident.