Creating an Incident Response Team
Creating an Incident Response Team
The first step in creating a successful incident response process is to identify and enlist the necessary staffing resources. Although it is not essential that these staff members devote all of their time to incident response, defining an incident response team and the capacity in which they will act prevents any uncertainty from occurring during an incident response. Even if you have personnel who devote all of their time to incident response, taking the time now to define the employees who will assist that core group (to provide either specialized skills or additional manpower) will save time during a large-scale response. Furthermore, the members of the incident response team will be in the best position to create, maintain, and update the processes and guidelines associated with incident response.
Obtaining an Executive Sponsor
Before selecting a team, you must obtain an executive sponsor for your incident response efforts. The sponsor should likely be the CEO or one of her direct reports, though this can differ based on the structure and size of your organization. You need the executive sponsor to help remove obstacles associated with implementing the policies that support your incident response work. You will also need the sponsor any time a policy must be enforced by a member of your organization who is reluctant to do so for fear of retribution. Metaphorically speaking, your sponsor is the edge of your sword. Although the sponsor does not need to be Chief Security Officer by title, this will likely one of her roles.
Your sponsor will need to be kept aware of the activities of the incident response team. She will likely want some form of tangible reporting on the successes and challenges of the incident response team, as well as the details of any incident, so that she can educate other members of senior management on the importance of security to your organization. Coupling such reporting with an accurate assessment of risk and exposure can be a powerful tool during budget discussions and one that affects the incident response team s long-term potential for success.
Identifying the Stakeholders
After a sponsor is in place, you must identify all stakeholders so that they can be included in policy discussions. Although senior IT staff will likely perform most core activities during an incident response, other individuals will need to be involved to ensure that the response is optimally successful from an overall business perspective.
As just implied, the members of the incident response team will not be limited to technical staff. Although senior members representing each technical specialty (operating systems, networks, databases, development, and so on) will certainly rank among the team s core members, the team also needs to include key representatives from all the company s major lines of business. These business leaders will ensure that an incident response protects the most essential assets of their work, intrudes minimally on specific initiatives they might have under way, and hopefully protects their ability to be successful as a business unit and contribute to the company s overall success.
The team will also need supporting members from various administration groups such as helpdesk, internal communications, HR, and the legal department to ensure that labor laws continue to be observed and that the company minimizes liability during any incident response activities. The internal communications and helpdesk representatives will help facilitate communications with end users when such communications are required. The HR representative will be responsible for answering questions about overtime compensation, nonstandard working hours, union requirements, and the like. Regardless of whether the legal representative is internal or external to your organization, he must be familiar with the concepts of expectation of privacy, evidentiary procedure, and downstream liability as well as the laws used in prosecuting computer crime not only in your company s local jurisdiction but also worldwide. Rounding out the team will be members of your public relations department, who will be responsible for the communications described later in this chapter in the section Creating a Communications Plan .
When not responding to incidents, team members can still conduct a wide variety of security-related activities. Some of these activities require additional planning and executive sponsorship, and all of them will benefit from a prescribed format that stems from process discussions about forming the incident response team. These activities include the following:
-
Staying up-to-date on patches issued by vendors
-
Staying up-to-date on industry trends by reading various online lists and IT trade periodicals
-
Conducting security awareness activities to inform all staff how they contribute to the security of the organization
-
Reviewing and testing new security products
-
Analyzing publicly available information about the organization
-
Baselining systems and reviewing related logs
-
Performing an architectural review of the company s networks from a security perspective
-
Testing restoration of systems from backup media
-
Auditing systems to ensure compliance to policy
-
Performing approved penetration testing of key systems
All these activities contribute in some manner to the incident response capability of your organization.
Choosing a Team Leader
Once the members of the team are in place, the team needs a leader. The team leader will be responsible for the actions of the entire incident response team and will coordinate those actions as well as sessions on the lessons learned during the response process. These sessions should follow each incident response. In addition, such sessions should be conducted periodically throughout the year (for example, every six months). The team leader will use the lessons learned to make policy update recommendations.
The role of the team leader differs from that of the incident response leader. Each incident will require a leader who will direct the response activities. All communications regarding the incident s progress should flow through this incident response leader to ensure that no duplication of efforts occurs and that the response team is optimally effective in its activities. The incident response leader is similar to a project manager in this respect.
Table 26-1 outlines the activities and roles of a typical incident response team.
|
| Basic Permissions | ||||
| Activities | Incident Lead | IT Contact | Legal Representative | Public Relations Representative | Line of Business Management |
| Performs initial assessment | Owner | Advises | None | None | None |
| Provides initial response | Owner | Implements | Informed | Informed | Informed |
| Collects forensic evidence | Implements | Advises | Owner | None | None |
| Implements temporary fix | Owner | Implements | Informed | Informed | Advises |
| Sends communication | Advises | Advises | Advises | Implements | Owner |
| Checks with local law enforcement | Updater | Informed | Implements | Informed | Owner |
| Implements permanent fix | Owner | Implements | Informed | Informed | Informed |
| Determines financial impact on business | Updater | Informed | Advises | Informed | Owner |
| Determines impact on brand or goodwill | Informed | Informed | Advises | Owner | Advises |
EAN: 2147483647
Pages: 189