It's important to document and keep track of all incidents that occur within the organization.
Keeping proper documentation can help a professional to determine if a similar incident had occurred in the past and what actions were taken.
When documenting an incident, it's important to include as much details as possible in the description, record the time and date, location, persons involved, actions taken to resolve the issue and lessons learnt.
Types/category definitions
There many types or categories of incidents. Some of these are:
Web-based threats
Email threats
Theft or loss of equipment
External
When an incident occurs, its important the right persons are involved to help resolve the issues.
The organization may have a dedicated incident response team who is trained in resolving security incidents.
The IT Security Management team, IT Technical staff may also be involved in remediating the security incident.
Whenever an incident occur, it should always be reported with as many details as possible.
When reporting a security incident, it's important to be very detail.
Keeping track of incidents can help security professionals to keep track of incidents and look for any patterns of similar incidents in the past records.
The report should include as much details as possible in the description, record the time and date, location, persons involved, actions taken to resolve the issue and lessons learnt.
If a person within the Technical team is unable to resolve the issue, the incident should be escalated to someone senior with more expertise in security.
Some companies will have a Cyber-Incident Response Team (CIRT) which is responsible for the monitoring and resolving of all security incidents within the organization.
The CIRT is made up of professionals who are trained and qualified in various security incident response techniques.
Most importantly, the CIRT is focused on incident response, analysis and reporting.
Designing an Incident response plan is good but the plan needs to be test regularly.
The plan should be testing a few times per year.
The testing of the plan should be scheduled.
The plan should be tested before an actual security incident occur.
It's important to document the outcome after testing to plan. Look for any areas which needs improvement and test again.
The SANS institute has defined the following 5 steps for Incident Response:
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
Gathering a list of all the company's assets. These may include network devices, servers, computers and applications.
Create a baseline by monitoring and determine what is considered to be "normal" traffic flow to and from these assets.
Develop a communication plan which outlines who to contact if an incident should occur.
Create a plan of action for each possible security incident that can occur.
Professionals must be trained to quickly identify a security event as it happens on a system or network.
It's important to gather as much details as possible of the security event to improve analysis of the threat.
Try to determine who the threat has entered the system or network.
It's important you have security appliances and applications actively monitoring your systems and networks to identify threats as they occur in real-time.
When a security incident occur, its important the incident (threat) be contained.
The goal of this phase is to stop the spreading of the threat such as virus to other systems on the network.
During the eradication phase, the objective is to remove the threat from the compromised system or network.
Ensure all compromised systems are disinfected thoroughly to ensure there are no longer any infections present on any systems within the organization.
In the recovery phase, data and applications are restored on the system
This may include data recovery from backups.
Replacing a compromised system or re-installing the operating system and applications.
Security professionals uses is phase as an opportunity to learn from the experience of a cyber-attack.
The lessons learnt will help improve the response and actions taken by the security team in future security events.
Updating of existing procedures and documentation may also be required.
When planning for a business continuity, it's important to perform regular exercise to ensure everyone is prepared.
These exercises may cost a lot of money and can be very time consuming.
A Tabletop exercise allows an organization to reduce cost and time by simply discussing a simulated disaster.
In a tabletop exercise, persons does not physically participate in a practical exercise but rather discusses that happens at each stage of the plan.
After completing the a disaster recovery exercise, the after-action report is required.
The report may contain the details of each step of the methodology and any explanations through the procedures.
Ensure details about everything that worked smoothly and those that did not work as expected.
Having a failover site is important in the event disaster occurs, it's easy to migrate to the failover site.
Ensure all data is full replicated or synchronized between the organization and the failover site.
During a disaster, things may not always go as planned. It's important to alternate between different methods of achieving the same task.
This technique is useful in the event the network or devices such as printers are not available to print a receipt for a customer.
It's important to ensure proper documentation is kept for all the primary and alternate business process before a disaster occurs.