PaulDotCom mailing list archives
Incident Response Tracking
From: helliott at knology.net (helliott at knology.net)
Date: Thu, 7 Jan 2010 07:49:18 -0500
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } On
Thu 10/01/07 6:00 AM , pauldotcom-request at mail.pauldotcom.com sent:
Re: Pauldotcom Digest, Vol 16, Issue 7
To those who have a system in place for incident handling, what are
your
thoughts? What have you found works for you and why? What would you
do
different if you could?
We have an online system for many of the reasons you cite. It has
its problems, but it also serves us reasonably well. We are also in
the process of completely rewriting it after objectively evaluating
our process. Our main focus is a system that supports handoff of the
event from one part of the IR team to another. IA staff receive the
incident and enter it into the system, then the techs pick it up and
work on it - for example, determining the internal IP, the person(s)
involved, correlating firewall or server logs with the event etc
This really is not possible with a spiral notebook unless you are
willing to do a lot of phone calling, emailing, note-taking etc.
My advice to you is to focus on the PROCESS, then pick a tool (or
design one) that supports your process. DO NOT start with a tool
(notebook or automated) then figure out how to live within that tool.
This is essentially what we did wrong, and we now have a tool that
has not grown with our procedural evolution. Spend time flowcharting
a process, determining what data must be tracked and what reports are
desired, what statuses will be demanded by management etc, roles
played within the process, writing policies (if required) and
procedures to support the process, collect the data in your paper
format if desired, evolve the process, and *then* build a tool that
supports the process.
Herndon Elliott
Madison, Al
CNSNEWS.COM REPORTER: "Madame Speaker, where specifically does the
Constitution grant Congress the authority to enact an individual
health insurance mandate?"
SPEAKER OF THE HOUSE NANCY PELOSI, D-CALIF.: "Are you serious? Are
you serious?"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100107/277631f2/attachment.htm
Current thread:
- Incident Response Tracking Jason Wood (Jan 06)
- <Possible follow-ups>
- Incident Response Tracking helliott at knology.net (Jan 07)
- Incident Response Tracking Jason Wood (Jan 07)
- Incident Response Tracking Larry McDonald (Jan 07)
- Incident Response Tracking Jason Wood (Jan 07)