Chapter 26. Review

I l @ ve RuBoard

Once the chaos of the situation has subsided and all the systems are restored to a normal mode of operation, it is time to take a clear look at the incident and perform a follow-up review. This follow-up stage is one of the most important phases of a security incident, yet, since the incident is under control, it is often not done. Every incident is different and brings unexpected issues, so there is always something new to be learned.

This incident review should document the incident, determine the cost of the incident, evaluate the handling of the situation, and determine what further actions are required. The review process should include a cross-section of the organizations that were, or should have been, involved in the incident and monitored by management. This group will not only perform a postmortem of the incident, it will plan the implementation of remedies to prevent recurrence and open up communication with users and others affected by or involved with the incident. It will need to determine the business impact of the incident. All in all, it is responsible for total quality process improvement. The group should take this opportunity to develop a set of lessons learned, improve future performance, and inform management of the steps taken during the incident. Additionally, the development of postmortem improvements will provide the opportunity to organize any documentation that may be necessary should legal action be required.

The scope of a post-incident review may, on the surface, seem overwhelming. However, most of the information should have already been gathered and documented in the individual logbooks of those who were involved in the incident. Documentation from a security incident will be plentiful. Everyone involved must keep a logbook that details his or her activities during the incident. Security monitoring systems generate a tremendous amount of information that was probably utilized during the incident. Information systems can monitor and log in the most excruciating detail. It is because of this overwhelming amount of detailed and technical information that condensed and summarized documentation of the incident is required.

I l @ ve RuBoard


Halting the Hacker. A Practical Guide to Computer Security
Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)
ISBN: 0130464163
EAN: 2147483647
Year: 2002
Pages: 210

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net