Security Basics mailing list archives
R: incident response - management approach
From: "Alessandro Bottonelli" <abottonelli () libero it>
Date: Mon, 21 Oct 2002 23:39:23 +0200
We would like to set up a list of rules for incident response.
We just happen to be working on a project for that.
Therefore I would to welcome any suggestions, links or articles what an organisation should do after a minor, medium or major incident has happened in a company (not only cyber-crime)?
No links, but some pearls of wisdom :-) after six months into the project: - You need a risk assessment and a policy to define what is a major, medium or minor incident. - You need to know that something has happened at all, so you need a monitoring activitity and a monitoring team. - You need to be "proactive" (as you suggest), so you need a team that continuosly tries to find vulnerabilities and exploits in your infrastructure and reports them to the organization in structured manner.
When to contact the law enforcement agencies:
- A matter of policies again and of network/computer forensics "post mortem". High damages (whether in money or reputation) may be worth a report to the police, others may need just an internal investigation (if insiders are involved), others are not worth the aggravation ....
... Even incident response perhaps is partially a top management activity?
Most definitevely YES! There are responses that are top management responsability (think of a major bank network under attack, only top management can be in the position to decide to "pull the plug off" ... ). -- Alessandro Bottonelli Axis-Net, Italy A.Bottonelli () axis-net it abottonelli () libero it
Current thread:
- incident response - management approach TeamSecure (Oct 21)
- R: incident response - management approach Alessandro Bottonelli (Oct 22)
- Re: R: incident response - management approach Douglas K. Fischer (Oct 24)
- Re: incident response - management approach Devdas Bhagat (Oct 22)
- R: incident response - management approach Alessandro Bottonelli (Oct 22)