Best Practices
Because time is of the essence when handling incidents, it is critical to do as much work up front as possible. This work includes the following:
Implementing preventative measures described throughout this book
Implementing policies that support incident response
Training all staff in their role in security
Selecting the people who will be involved in incident response and designating the roles each will play
Collecting and maintaining incident handling guidelines
Assembling a comprehensive and accurate contact sheet
In addition, difficult scenarios should be discussed by the incident response team and management to establish boundaries and predefine response goals. Team members and management should also discuss and agree upon aspects of involving the media and law enforcement agencies in an incident investigation. The more decisions you make up front, the easier incident response will be.
Your sponsor will be able to make changes required to create the policies needed to support incident response. He also will be able to provide budget for training, staffing levels, and tools. For the most effective relationship with your sponsor, your team leader will must be able to understand and communicate the core business issues to the sponsor and to present complex issues in a logical, concise manner.
By formalizing the team even in cases where incident response is not the team s core activity you will dramatically improve response times and capability while minimizing uncertainty and power struggles.
Make certain that the leader for each incident response is the most technically appropriate person for that type of incident. It does not make sense to use a senior Microsoft Windows technician for a mainframe issue. Nor does it makes sense to use an infrastructure engineer whose focus is routers and switches as leader on an intrusion in a database system.