NetWorks Group

Seven Tips for Effective Incident Response Policies

Incident response (IR)  has great value to IT security professionals. Each incident is unique, but there are some common policies that need to be in place for proper preparation of the response team and the corporate staff. Here are the top seven policies necessary to help prepare for an incident response effort:

1. AUP—The corporate acceptable-use policy (AUP) defines the actions allowed by the computer user on the machine or network. IR personnel need to know this policy so that they can determine what activities are normal and what activities are not acceptable on the computer or the network.
2. Privacy—What is the expectation of privacy for each computer user when performing the various activities on the system? Each user will perform actions during the normal course of events that can impact privacy. The overarching privacy policy can provide guidance to the user when performing typical activities such as searching web sites, online banking and social networking. All of these can have major impacts on IR events.
3. Containment—What are the first steps to be taken by incident responders? When approaching an incident scene, review what is occurring on the computer screen. If data are being deleted, pull the power plug from the wall; otherwise, perform a real-time capture of system volatile data first. Evaluate what network or systems are being affected.
4. Version control—What is the corporate patch management policy? By whom and when are patches tested, loaded, evaluated? Who controls the configurations of the servers and network devices? All of these questions should be answered in the version control policy that gives the incident responder the baseline to work from when investigating an incident.
5. Communications—This policy covers who communicates to the corporate staff, the users, the workers, and the customers and clients of your organization when something happens. By whom and how the issue is communicated to the shareholders, the public, the media, and even local emergency and law enforcement officials should also be included in this policy.
6. Reporting—Clearly define to whom and when the various activities are reported. Just as important is who is not reported to, since an incident could have an insider component.
7. Backup—This policy sets the boundaries for recovery from the incident. How far back in time is the data retained, where is it, what are the procedures for the daily, weekly and monthly backups of the server or network data? These questions are answered in this backup policy, which the incident responders need to properly return the system or network to normal business operations.

Having the proper Incident Response Policies and Processes in place are crucial to any Incident Response Plan, and with any corporate security policy, an organization must review these at least annually and as part of an overall Incident Response Testing Program and updated as needed according to changes to the environment.