INCIDENT RESPONSE TEAM POLICIESWhen it comes to data, there will eventually be a breach of security or possibly a natural disaster. How the incident is responded to is extremely important. The speed and effectiveness of the response will potentially limit the possible damage and reduce any loss. A well put together incident response team (IRT) will help to insure the timeliness of such incidents and make sure the incident is identified and contained. An incident response policy, once created and implemented, will outline how the organization should respond to a security incident in an efficient manner.
Incident Response PolicyAn incident response policy is a plan that is created to outline an organizations response to any information security incident. The policy should contain information about the incident response team in the organization, role of the team members, those responsible for testing the policy, putting the policy into action, tools and resources used to identify and recover any compromised data. It is created to deal with the aftermath of any incident.
If the policy is not created and implemented within an organization, response to an incident would be delayed and if there is any evidence, there is risk for possible deletion if not found in a timely manner (Infosec Institute, 2018). The policy of the organization will need to clearly stated and understood by all members of the organization in order to be implemented correctly. IncidentsIncidents can be classified as any event that violates the security policies of an organization. The incident could cause disruption to an application, system, or even the network. An incident could slow down service, cause service outages, or result in the unauthorized access to data. When classifying incidents, create a definition for each so that it can be included in the incident response policy. Knowing the type of attack that needs to be dealt with is imperative to the determination on how to respond and stop the damage from the incident (Johnson, 2015). A security incident may involve any of the following (UC Berkeley, 2018): Violation of campus security policies Unauthorized access to any computer or data Malicious software or viruses Any unusual programs that are found on a computer system Any misuse of information or services, such as sharing passwords Computer theftIncident Response Team The incident response team members represent a cross-functional team from several departments and multiple disciplines. The designated team allows for members to coordinate plans and train together on the various ways to respond to an incident. IRT is typically activated during major incidents. Common members include subject matter experts, information security representatives, human resources representatives, and a legal representative. (Johnson, 2015) Pulling experts from each part of the organization will help when dealing with an incident. A couple of people with various knowledge of the systems and configurations have the skills to be able to make a critical recommendation on how to stop the incident. A person to use their risk management and analytical skills can also help with any forensic knowledge and skills. A representative that can deal with employees can help when there is an internal attack involved and are experts on the HR policies and disciplinary actions that need to take place. A representative in the legal department understands the laws and regulations. This representative will review the incident response plan, policy, and procedures and can help communicate with law enforcement during and incident. (Johnson, 2015) Another important role is the IRT Lead. The lead will communicate with upper management, will declare the incident and make any final calls on responding to the incident. The lead will also be the one that will maintain, and update written IRT protocols or the incident response plan. Identifying the roles and responsibility for each of the members will also fall on the lead to update and maintain (Texas Department of Information Resources, 2017). It is important to list each of the members with their name and contact information on the incident response policy so that everyone will know who to contact in the event of an incident. This should include any standing members, department heads, attorneys, and law enforcement if needed (Texas Department of Information Resources, 2017). Incident Response When it comes to incident response, it is best to follow the same procedure each time. With each incident, the team will learn and find ways to improve the response time. Incident response procedures fall into the phases of preparation, identification, containment, eradication, recovery and post-incident. (Infosec Institute, 2018). Following a model or flow chart could help with incident response and could be updated for each threat. Example: Plan and Train Discover and Report Incident Contain Clean-Up Analyze and Prevent Report (Johnson, 2015) Each phase should be listed in the incident response policy. Preparation phase is when the users and those responsible for the system are trained on how to respond to security incidents. Risk assessments and user awareness training should be conducted during this phase (Infosec Institute, 2018). The identification phase is recognizing and detecting a security incident, determining the severity and priority level of the incident. This could be anything from noticing something suspicious, alerts from an antivirus software, any filenames with unusual characters, an unknown local account on the server, or even failed logon attempts noticed on the logs of the server (Johnson, 2015). Containment phase is isolating the systems that have been affected and preventing any damage to other systems. Eradication phase is searching for the cause and eliminating the threat. Recovery phase is returning the affected systems to normal operation, and post-incident is where documentation and investigation comes into play (Infosec Institute, 2018). A post-incident checklist and analysis should be performed after each incident. Any learning and improving, follow-up reporting, data collection, and analysis can be conducted and talked about. Learning and improving can take place in a meeting with all parties that are involved to talk about, what happened, how everyone performed, should anything be done differently, additional tools or resources that are needed to detect or analyze any future incidents. A follow-up report is used to compile an event chronology, monetary estimates on the damage, and follow-up reports. Giving an assessment of the root-cause of the incident will help to pin point anything that should be changed to help prevent any further incidents from occurring (Texas Department of Information Resources, 2017).