Review the Incident Response Plan

Regardless of the philosophy of responding to a security incident, there must be a preplanned response. An incident response plan will establish management procedures and responsibilities to ensure a quick, effective, and orderly response to security incidents. Incident response is not usually a revenue-generating activity, so this makes it difficult to obtain necessary resources. However, careful and intelligent planning and justification can be key to illustrating the scope of the issues. All of the business implications should be evaluated and a policy based on business decisions should be created.

The incident response plan should be the best-defined section of security procedures, yet it rarely is. The usual excuse is that the response will depend on the type of the attack. Specific incident handling procedures are often created for specific types of incidents. These usually evolve from best practices and address simple intrusions such as computer viruses, compromised user authentication, or system scanning or probing. This may be true for the specifics. However, in general, the response to a security incident will be the same. Even though you cannot predict the kind of security incident to which you may fall victim, you can prepare for the type of outage you could experience and plan your response accordingly . Your outage will either be a system outage or a data outage. The attack will come from either a live attacker, a programmed threat, or both. In any case, the response process will be the same.

The response plan should contain certain topics to adequately prepare the organization for responding to an incident.

Hackers come prepared with the tools and knowledge they need to do battle. It is up to the system manager to be just as well-organized with pre-planned responses and contingency plans. This ground work should be laid before the system manager finds his system under attack. When your system is going down in flames and all eyes are upon you is no time to be searching for solutions.

A good incident response plan will have defined and prioritized the response processes. It will have defined ownership of the process and contain basic check lists for each process.