ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > IT Management

Management Toolkit

Can your business respond in a crisis?

Deb Shinder Tech Republic

Published: 03 Nov 2005 12:50 GMT

...teams are also responsible for risk analysis and management before the fact, and security audit and follow-up after the fact. In some organisations, the team's responsibilities even extend to development of security tools and training other members of the organisation in security awareness.

Creating and developing the incident response team
A computer incident response team is, in many ways, patterned after other emergency response teams. Each member of the team should have a specified role and there should be a division of responsibility that's clear to all members, but it's also helpful if each is cross-trained in the tasks normally performed by others.

The team members should train together and practice their response to realistic scenarios until everyone is able to work together smoothly and quickly, without stepping on one another's toes.

Despite the "team aspect", there should be a designated line of authority, and everyone should follow that chain of command in making important decisions (such as shutting down a vital server in the middle of a busy workday). The team manager or leader should have the authority to take actions that may impact on the budget or disrupt the flow of business.

Team members should be selected based on their areas of expertise and interest. For example, a medium-sized team might have one member who is a subject matter expert in each of the following areas:

Firewall/perimeter security
Operating system security
Application security
Computer forensics
Legal
Reporting/record keeping
Recovery

Growing the team
In a small organisation, your incident response team might initially consist of one person. The function may not even be part of a title or job description; he or she has just evolved into the one everyone calls if there's a security incident. As the organisation and the number of security incidents grows, the team can become a more formal entity, with members selected according to set criteria.

Team members are obviously selected for their technical expertise, but also for characteristics that may be less obvious, such as physical location in the organisation (giving them the ability to respond quickly) and availability/willingness to respond after hours (which is when most incidents occur).

Outsourcing the service
An alternative to creating your own in-house incident response team is to subscribe to a commercial incident response service. For a small organisation, there's an obvious advantage to this approach if you have no one on staff who has the level of expertise required. Even in a large company with a big IT staff, your team's incident response experience can't be nearly as comprehensive as that of specialised personnel who do nothing else and who respond to incidents in many different environments.

Commercial services may be especially effective in conducting forensics examinations and handling evidence so as to build a criminal or civil case in court. Hiring an incident response service may also be more cost effective than maintaining full time security experts on staff.

Finally, you may find that a service can provide more flexibility and better scalability, since the service can deploy its personnel based on the severity and scope of a particular incident.