An incident handling plan is basically being prepared to deal with an incident before it actually occurs. Part of this process is trying to forecast what type of responses you may encounter. Again, see your service levels for the level of responses that may be required. It is critical to document these steps. Documentation will eliminate some of the ambiguity that occurs during an incident. The following processes should be defined in your plan:
Identify the monitoring systems that will be used, such as alerts, trip wires, and so on.
Have a process that defines high-level steps of the corporate incident handling strategy (such as a flowchart). This should be distributed to every member of the incident handling team.
Establish a process that will notify the correct team members.
Create a process to test the incident handling system.
Forecast the costs of implementing and maintaining the incident response system.
Forecast the potential costs of not having an incident response system.
Create some initial communication documentation for dealing with the incident and/or outage.
Create communication documents that will be distributed to all personnel who need to know about an incident response team. For example, the Web Master will need to know about the team and its responsibilities. (The Web Master may even be on the team.)
A member from the incident response team must be a member of the security committee.
Maintain a list of phone numbers of personnel who will support the incident response team.
Define severity levels for the incident response process. Following are some examples:
Critical: The site may fail over to a backup, such as in the case of a fire or flood.
Severe: The site may be required to shut down for repair or restore (e.g., DDoS attack, Love Bug attack).
Moderate: The site may be required to block traffic from a particular IP address or domain name. This level may impact a future blacklist of URLs or IP addresses. This level could also be due to an internal procedure error: Someone may not have followed the change control processes.
Low: This level should be reported as a minor incident and may not involve the incident response team.