Jesse James rides into town to rob your bank. He walks in and blows up the safe. In the process the bank is destroyed. Your situation is now very bad: no money, no safe and no bank. Now what do you do?
You, the information technology (IT) manager, may face the same situation, in which the infrastructure is damaged beyond use. Now what do you do? One answer is to scramble and quickly try to repair the damage from the disaster, or try to find another site. Suppose your data center burns to the ground let's look at minimum steps needed to get the enterprise back on-line. Let's assume that you have a central data center and all servers and mission-critical applications are at this data center. Let's also assume that you have off-site backups. Following are the steps:
Assess the damage. Is there any thing left that can be reused? Probably not. If the fire and smoke did not do enough damage, then water from the fire trucks finished the job.
Notify internal and external business partners about the incident. Why? What if one of your partners were trying to send you an order. Your warehouse may not have been damaged and you could possibly take the order over the phone.
Obtain necessary office supplies and workspace.
Build and/or rebuild business processes via stand-alone systems and/or manual processes.
Obtain and install necessary hardware components, such as:
Wan, LAN, routers, servers, printers, and coffee machines
Software, backup tapes
Execute pilot and system tests before going back on-line, including testing system functionality and security controls.
Obtain a facility. (This can take several days.)
The preceding steps represent just a small subset of the issues that will need to be addressed in a very short time. In reality, without proper planning, this process could take weeks and/or months. Can your business afford to be without IT infrastructure for this length of time?
Not all interruptions to an IT infrastructure come in the form of a disaster. A business will need basic security practices to keep the business up and running. Consider the following example to help reinforce the point: You have just purchased a new car. It is a very nice car a $45,000 sticker and loaded with cool features that everyone wants. What will you do to protect your new car?
Install an antitheft alarm system.
Have a set of unique keys.
Have a deluxe locking gas cap.
Have a wireless system to ask for navigation and/or to open the car.
Have locking lugs on the wheels.
Not bad. You have taken all the correct precautions, and now your car is 100% protected from being stolen. I'm afraid not. There are many ways to steal that car. In fact, with some social engineering, you could even get the door opened for you via the new "wireless" feature.
So now what can you do?
You must make a "best effort" to protect your business within the scope and budget needed to support the business. It is the same as with auto insurance. You would not want to pay more for the insurance than the value of the car, and the same logic must be followed with your business as well. It is important to keep this in mind when determining the level of security to be implemented along with the associated costs. Your number-one goal should be to implement security such that continuity of operations is achieved and the business remains a viable entity.
The next step is "incident handling." Incident handling is a process that deals with an event that is unplanned and unexpected a situation that requires immediate action to prevent a loss of business, assets, or public confidence. Incident handling has several goals:
Handle a security incident
Keep the business running
If needed, make a temporary fix to the incursion
Facilitate the process to make a permanent fix to the incursion
Incident handling includes several components:
A policy that outlines the strategy for the incident handling requirements
A plan that details the processes needed to support incident handling
Procedures that make up each step for each process
A team that will implement the procedures
It would be nice if a company never needed an incident response strategy. With today's attacks on web sites, however, you will need one. The key is to be prepared for these attacks. With that said, let's look at each step to create a workable incident response strategy.