Unit 11 Topic D: Incident Response Policies

An information security incident

A total data recovery failure

A backup server breach

A power failure in the server room

It must be reported to the appropriate person (probably the CSIRT team leader)

Whoever discovers the incident must perform an initial assessment of the event

Switch off the servers so that no more breaches can take place

Ignore it and hope it goes away

Whether an actual incident has taken place at all

How to minimise the risk

Who is going to be responsible for performing the incident response

Whether or not it is an internal security breach

Type of attack

Severity of attack

How much it will cost to resolve the incident

Whether or not to inform the police

Protecting people’s safety

Protecting sensitive data

Minimising disruption to computing resources

Ensuring that no-one knows that an incident has taken place

The nature of the attack

The origin of the attack

The intent of the attack

What systems & files were compromised

How much it will cost to resolve the incident

To be used as evidence

For data recovery

In case the evidence has been tampered with

Checks on data inconsistency

After evidence has been backed up but before the compromised system has been wiped

After the compromised system has been wiped but before external agencies are informed

As soon as the security breach has been identified

After the system backups have been restored

Legal representatives

The media

The IT department

The HR department

Computer Security Incident Response Team (CSIRT)

The Avengers

The A-Team

Cyber Response Unit Security Team (CRUST)