Home » Data Protection » Network Security

In Depth

Incident Response: When Bad Things Happen to Good Companies

If you don't have a clear incident response plan in place, you risk losing millions of dollars.

By Simone Kaplan

Page 2

And it's not just an internal matter, says Macartney. "Customer confidence can be damaged if it appears the company has been remiss in its handling of security events. The company's reputation could be at stake."

But you can't protect everything completely, so you must prioritize, Macartney adds. By creating a specific strategy that states what to prioritize and how to react if an incident does happenand by making your security organization capable of detecting, analyzing, and responding quickly and knowledgeably to an eventyou can limit the damage done and lower the costs of recovery. And then, by knowing who to call and what to do next, you can decrease the amount of time it takes to recover and possibly save you and your staff from additional disasters along the way.

"The organizations that don't know how to respond to incidents are the ones that will really get hurt," says Kevin Connell, director of information security for the shared data center of the Securities Industry Automation Corp., which runs the computer systems and communications networks of the New York and American stock exchanges. "And while it's hard to protect against something you can't predict, it's not so hard to react decisively in crisis situations once you have a plan in place and a procedure to follow."Getting StartedWhen thinking about incident response planning, remember that the best defense is a good offense. But before you do anything, says Ariel Silverstone, CISO at Temple University, it's important to define the nature of a cyberattack. That way, you can decide what constitutes an incident for your company (see "What's It to You?" at www.csoonline.com/printlinks). Generally speaking, a computer incident is anything that potentially compromises the confidentiality, integrity or availability of a computer system. Sometimes such incidents can be reallike a service outage. Other times, the incident is merely a perceived attacklike when a file disappears because an employee simply moved it from one server to another without telling anyone.

Drafting the response plan includes four main activities, according to Kenneth van Wyk, coauthor of Incident Response and director of technology for Tekmark Global Service's technology risk management practice. First, pull together a response team that broadly represents the entire organizationHR, legal, media relationsand build a phone list to make alerting the necessary people more efficient. Then, create an incident reporting forma checklist of sortsto help document the incident and track costs along the way. Next, build a flow chart detailing the process that the team should follow during an incident (see chart, Page 56). And finally, map out a post-incident review process to ensure continuous improvement with your overall plan. Each part will play an important role in helping you deal with incidents before, during and after they occur.Go TeamIncident response teams go by different names in different companies: Some call it the IRT; others use the acronym CIRT or CSIRT, for computer security incident response team. Whatever you call it, the group is pretty much your version of a SWAT team, called into action when a computer incident occurs.