Incident Response Plan

profilesepola
bd_ch_10_closer_01.html
Home>Computer Science homework help>Incident Response Plan

Chapter Summary

  • Planning for unexpected events is usually the responsibility of managers from both the information technology and the information security communities of interest.

  • For a plan to be seen as valid by all members of the organization, it must be sanctioned and actively supported by the general business community of interest.

  • Some organizations are required by law or other mandate to have contingency planning procedures in place at all times, but all business organizations should prepare for the unexpected.

  • Contingency planning (CP) is the process by which the information technology and information security communities of interest position their organizations to prepare for, detect, react to, and recover from events that threaten the security of information resources and assets, both human and artificial.

  • CP is made up of four major components: the data collection and documentation process known as the business impact analysis (BIA), the incident response (IR) plan, the disaster recovery (DR) plan, and the business continuity (BC) plan.

  • Organizations can either create and develop the three planning elements of the CP process (the IR, DR, and BC plans) as one unified plan, or they can create the three elements separately in conjunction with a set of interlocking procedures that enable continuity.

  • To ensure continuity during the creation of the CP components, a seven-step CP process is used:

    1. Develop the contingency planning policy statement.

    2. Conduct the BIA.

    3. Identify preventive controls.

    4. Create contingency strategies.

    5. Develop a contingency plan.

    6. Ensure plan testing, training, and exercises.

    7. Ensure plan maintenance.

  • Four teams of individuals are involved in contingency planning and contingency operations: the CP team, the IR team, the DR team, and the BC team. The IR team ensures the CSIRT is formed.

  • The IR plan is a detailed set of processes and procedures that plan for, detect, and resolve the effects of an unexpected event on information resources and assets.

  • For every scenario identified, the CP team creates three sets of procedures—for before, during, and after the incident—to detect, contain, and resolve the incident.

  • Incident classification is the process by which the IR team examines an incident candidate and determines whether it constitutes an actual incident.

  • Three categories of incident indicators are used: possible, probable, and definite.

  • When any one of the following happens, an actual incident is in progress: loss of availability of information, loss of integrity of information, loss of confidentiality of information, violation of policy, or violation of law.

  • DR planning encompasses preparation for handling and recovering from a disaster, whether natural or man-made.

  • The DR plan must include crisis management, the action steps taken during and after a disaster.

  • BC planning ensures that critical business functions continue if a catastrophic incident or disaster occurs. BC plans can include provisions for hot sites, warm sites, cold sites, timeshares, service bureaus, and mutual agreements.

  • Because the DR and BC plans are closely related, most organizations prepare the two at the same time and may combine them into a single planning document called the business resumption (BR) plan.

  • All plans must be tested to identify vulnerabilities, faults, and inefficient processes. Several testing strategies can be used to test contingency plans: desk check, structured walk-through, simulation, and full-interruption.

  • Digital forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis. E-discovery is the identification and preservation of evidentiary materials related to a specific legal action. Digital forensics and e-discovery are related in that digital forensics tools and methods may be deployed to conduct e-discovery or to extract information identified during e-discovery; however, e-discovery may simply focus on extensive e-mail and database searches to identify information related to specific key terms.

  • Most organizations cannot sustain a permanent digital forensics team. Even so, people in the InfoSec group should be trained to understand and manage the forensics process.

  • In digital forensics, all investigations follow the same basic methodology: identify relevant items of evidentiary value, acquire (seize) the evidence without alteration or damage, take steps to assure that the evidence is verifiably authentic at every stage and is unchanged from the time it was seized, analyze the data without risking modification or unauthorized access, and report the findings to the proper authority.

Listen webReader by ReadSpeaker Open/close toolbar