Incident Response Plan

profilesepola
bd_ch_10_sect_02_02.html
Home>Computer Science homework help>Incident Response Plan

Incident Response Policy

An important early step for the CSIRT is to develop an IR policy The policy document that guides the development and implementation of IR plans and the formulation and performance of IR teams. . NIST’s “Special Publication 800-61, Rev. 2: The Computer Security Incident Handling Guide” identifies the following key components of a typical IR policy:

  • Statement of management commitment

  • Purpose and objectives of the policy

  • Scope of the policy (to whom and what it applies and under what circumstances)

  • Definition of InfoSec incidents and related terms

  • Organizational structure and definition of roles, responsibilities, and levels of authority; should include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity, and the requirements for reporting certain types of incidents, the requirements and guidelines for external communications and information sharing (e.g., what can be shared with whom, when, and over what channels), and the handoff and escalation points in the incident management process

  • Prioritization or severity ratings of incidents

  • Performance measures (discussed in Chapter 9)

  • Reporting and contact forms *

    Cichonski, P., Millar, T. Grance, and K. Scarfone. “Special Publication 800-61, Rev. 2: Computer Security Incident Handling Guide.” Accessed 7/12/15 from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.

IR policy, like all policies, must gain the full support of top management and be clearly understood by all affected parties. It is especially important to gain the support of those communities of interest that will be required to alter business practices or make changes to their IT infrastructures. For example, if the CSIRT determines that the only way to stop a massive denial-of-service attack is to sever the organization’s connection to the Internet, it should have a signed document locked in an appropriate filing cabinet preauthorizing such action. This ensures that the CSIRT is performing authorized actions, and protects both the CSIRT members and the organization from misunderstanding and potential liability.

Listen webReader by ReadSpeaker Open/close toolbar