Home » Data Protection » Network Security

In Depth

Incident Response: When Bad Things Happen to Good Companies

If you don't have a clear incident response plan in place, you risk losing millions of dollars.

By Simone Kaplan

Page 4

The team also needs a certain degree of flexibility. "Response teams shouldn't be static," Wade says. "They can be added to or subtracted from at any time if you decide that something needs to change."

Once the team is in place, you'll need to create a contact lista staple of any response plan, says van Wyk. "If you overlook creating one, you do so at your peril," he says. It's essentially a phone tree, including emergency phone, pager and e-mail information for members of your incident response team. The list should also include contact information for outside authorities, such as local and state police, the FBI, CERT and any third-party provider that your company may rely on for backup assistance. Contacting the authorities won't be necessary for every incident, but it's good to have the information at your fingertips.

For continuity purposes, list contacts according to job function, authority and skill set rather than by name. That way, if someone leaves the company, you won't have to rework the entire list. It also means that there's a clear reporting structure in place: When an incident occurs at 3 a.m., for instance, and the system administrator sleeps through his pager alarm, the team member who discovers the incident can quickly alert the next person in the chain of command.Go with the FlowOnce your team is in place, you should create a diagram that spells out, step-by-step, what each part of the security organization needs to do when a breach occurs. And while the incident process needs to be flexible in order to handle various kinds of attacks, Silverstone says, you won't want to leave any of the steps in the diagram to interpretation. "Be precise. Everyone should know who to call and what to do in every type of situation," Silverstone says. "If you leave it open-ended and someone makes the wrong decision, you'll leave your organization open to liability."

Once you determine that you have a genuine incident on your hands, you and your designated team members can formulate a response strategy. Is the incident major or minor? Does it threaten vital business functions? Do you want to contain the incident and maintain business continuity, or do you want to allow the incident to unfold so that you can gather forensic evidence for an investigation further down the road? Should you contact outside agencies yet? Is it necessary to communicate with the general employee population? The answers to such questions will help the process move along more quickly and predictably, saving precious time and money, minimizing damage and maintaining business continuity for your company.