Organizational policies and practices are structural guidance that applies to forensic examinations. They are designed to ensure quality and efficiency in the workplace. In an effort to properly preserve evidence, you must have an incident response team (IRT) ready, and the team needs to know how to handle situations.
incident response team (IRT)
A team of individuals trained and prepared to recognize and immediately respond appropriately to any security incident.
Incident response plans are needed so that you can intelligently react to an intrusion. More importantly, there is the issue of legal liability. You are potentially liable for damages caused by a hacker using your machine, and you will want to preserve the evidence. You must be able to prove to a court that you took reasonable measures to defend yourself from hackers and present any evidence as clearly and concisely as possible. If a plan is not in place and duties are not clearly assigned, your organization could end up in a state of panic. The components of an incident response plan should include preparation, roles, rules, and procedures. Once your plan is in place, the incident response team members should be appointed. Realize that this team is not a full-time assignment; it is simply a group of people who have obligations to act in a responsible manner in case of an incident.
incident response plan
The actions an organization takes when it detects an attack, whether ongoing or after the fact.
Do not overlook the effect an incident will have on employees . The interruption to the workplace not only causes confusion, but also disrupts their schedules.
The incident response team is responsible for containing the damage and getting the systems back up and running properly. These steps include determination of the incident, formal notification to the appropriate departments, and recovering essential network resources. With this in mind, the team should be comprised of the following personnel:
Security and IT personnel
Someone to handle communication with management and employees
Someone to handle communication with vendors , business partners , and the press
Developers of in-house applications and interfaces
The entire team is responsible for the success of the incident handling, and the entire team should remain assembled until the incident is completely handled.
The basic premise of incident handling and response is that a company needs to have a clear action plan on what procedures should be in place when an incident happens. These procedures should include:
Identifying the initial infected resources by obtaining preliminary information about what kind of attack yoare dealing with and what potential damage exists.
Notifying key personnel, such as the security department and the response team.
Assembling the response team for duty assignment and deciding who will be the lead for the incident.
Diagnosing the problem, identifying potential solutions, and setting priorities. The security response team has to be clear about what to do, especially if the potential damage is high.
Escalating the problem to additional teams if necessary. The key is to understand what actually happened and how severe the attack was.
Gathering all of the information learned about the incident up to this moment and storing it in a secure location on secure media, in case it will be needed for potential legal action.
Communicating the incident. This may include reporting it to law enforcement, IT security companies, and possibly customers.
If an event is newsworthy, expect to be contacted by the media. Make sure someone is authorized to speak to the media.
The team should prepare an incident report to determine and document the incident cause and its ultimate solution. This report should be an internal document that puts everything, from the minute the incident was noticed until the minute service is restored, into perspective.
Local law enforcement relies on network administrators to report when their systems are hacked. Intrusion victims are often reluctant to call law enforcement. This reluctance has been reflected in the surveys conducted jointly by the Computer Security Institute and the FBI. Only 25 percent of the respondents who experienced computer intrusions reported the incidents to law enforcement.
If organizations do not report incidents, law enforcement cannot provide an appropriate or effective response. Networks are going to get more complex and more vulnerable to intrusions. Law enforcement agencies are familiar with computer crime investigations, view intrusions as important, and will respond appropriately. They are able to promptly refer reports to the proper agencies if they are not equipped to handle more complex cases.
Publicity is frequently an issue for victims of computer crime. Law enforcement has been trained to be sensitive to victims' concerns arising from the publicity and seizure of data from corporate networks. Many investigations also require information from the victim's incident response team.