Summary

One of the worst fears of any security organization is that a security incident will occur that they will have to address. Unfortunately, the reality is that sooner or later it is going to happen. Planning for incident response is a necessary function to ensure that your organization is prepared to deal with any incident that may present itself. The incident response flow can help you determine what to do in the event of an incident. The first thing you need to do is to develop a computer incident response team (CIRT) to deal with any incident that may arise.

Next, you should plan for incident response and begin getting prepared to deal with incidents before they occur. Once you have discovered an incident, you need to observe the situation to determine exactly what is going on before deciding what the best method of handling the incident is. During incident handling, you should notify all the affected personnel of what is occurring as well as establish a method for the CIRT to communicate while they contain the incident. After you have properly contained the incident, you should gather the necessary information required for you to report the incident to the relevant groups and organizations, including law enforcement. The last step is to recover from the incident by patching and repairing any systems that were compromised as well as closing/fixing whatever means were used to exploit the system. Remember, you cannot prevent all incidents. It is never going to happen. You have to be prepared to handle those incidents that you cannot prevent to allow your organization to become fully operational again in the most rapid and reliable fashion possible.