Thursday, July 15, 2010

The Data Security Incident Management Process: Policies, Teams, and Communication (Page 2)

Form One or More Incident Response Teams

Cross-functional Incident Response Teams (IRTs) are your basic weapons against all types of data security attacks. The proper staffing and training of these teams is critical to your success in dealing with security incidents. Whether you need one or ten teams depends on your business environment. In any case, each team should consist of the following:

  1. A team manager. This person has overall responsibility to ensure business objectives are met during an data incident response activity. In addition, she is responsible for communicating status to senior management.
  2. A technical lead. The technical lead is charged with assessing the scope of impact of an incident on the technology infrastructure. He’s also responsible for containment and recovery activities as they relate to data processing systems. The technical lead supervises the following members of the IRT:
    1. One or more network engineers
    2. One or more programmers
  3. Public relations. This person is responsible for communicating with shareholders, the press, and other outside entities.
  4. Security. The IS Security team is usually the first responder to any incident. The members of this team are also responsible for providing oversight during containment, eradication, and data recovery operations.
  5. IS Support. The support team can:
    1. Assist with containment
    2. Establish alternate methods of information processing when primary systems or network paths are disrupted
    3. Assist with system recovery tasks
  6. Physical security. Securing the facility and responding to human intrusions and alerts are the responsibility of this role.
  7. Facilities management. Responsibilities for resolving power issues, locating and coordinating the move to alternate facilities, and structural assessments and repair fall here.

Overall responsibilities of an IRT

Your IRTs have three primary responsibilities.

  1. To prevent data security incidents
  2. To respond to incidents when they occur
  3. To take steps after an attack or outage to improve the organization’s incident prevention, detection, and response capabilities

The prevention of security incidents is essentially an exercise in managing risk in a reasonable and appropriate manner, including:

  1. Identification of threat/vulnerability pairs through
    1. Vulnerability assessments
    2. Penetration testing
    3. Vulnerability reports from vendors as well as private and government sources
  2. Assessment of the probability that a threat will exploit one or more vulnerabilities
  3. Assessment of potential business impact if specific events occur
  4. Development of action plans, based on sound risk management principles, to proactively mitigate risk

Once a data loss incident occurs, your IRTs must have the skills necessary to quickly react in a way that minimizes business impact. To accomplish this, each team member must understand how to:

  1. Analyze incident data
  2. Determine the scope and nature of the incident
  3. Communicate with other data recovery teams, including the information to be communicated

Recommendations as to how each of these activities should be executed are provided later in this series.

The IRTs’ responsibilities don’t end once they complete recovery operations. As we’ll examine in the following articles, post recovery activities are a very important part of incident management. These activities include understanding how to improve prevention and detection controls, how to further reduce business impact, and the development of an action plan to make the necessary adjustments to incident response teams and documentation.



Diposkan oleh global46 di 2:26 AM

0 komentar:

:)) ;)) ;;) :D ;) :p :(( :) :( :X =(( :-o :-/ :-* :| 8-} :)] ~x( :-t b-( :-L x( =))

Post a Comment

Subscribe to: Post Comments (Atom)