351
Appendix J
Incident Handling
Incident handling is the process that should be followed in the event of a security
incident. Having an organized and efficient method of reacting to an incident will
help minimize its impact and facilitate its investigation. The security breach can
involve virtually any aspect of the company and can include:
• Information technology–related incidents
•Physical security–related incidents
Security breaches can vary in severity, with some having no immediate business
impact and others resulting in major outages of critical services. Some incidents
might require involvement of law enforcement or interaction with the press. As the
severity of the incident increases, companies must pay attention to such things as
ensuring that evidence is properly handled and that communication with the press
comes from a central source within the company. Without an organized and defined
way of handling incidents, the response can be as damaging as the incident itself.
This checklist will assess the client’s incident handling process. The questions
will go through the key phases of incident handling including the following:
• Classification of the incident
• Escalation
• Containment and eradication
• Recovery and post-incident analysis
• Communications with different parties — e.g., employees, press
•Involvement of law enforcement
GENERAL
1. Is there a documented incident handling policy in place? Is the policy
easily accessible for all employees?
Guidance:
The incident handling policy outlines the requirements, com-
municates a consistent message of how an incident should be handled, and
provides a basis for enforcement of good incident handling practices. New
employees should made aware of this policy of as part of an initial orien-
tation. Incident handling should also be a part of a security awareness
AU1706_book.fm Page 351 Wednesday, July 28, 2004 11:06 AM
352
A Practical Guide to Security Assessments
program. In addition, the policy should be easily accessible to all employees
so they can refer to it as necessary (for example, on a company intranet site).
Risk:
Without a documented policy, employees will potentially not know
what to do in the event of a security incident. They may not follow a struc-
tured and consistent approach to incident handling. A risk exists that secu-
rity incidents will not be handled properly, which can result in a range of
consequences, as discussed later in this questionnaire. In addition, if no
policy exists, there is no basis for enforcing the proper actions that should
be taken when there is an incident.
Client Response:
2. Does the organization provide any awareness training for incident han-
dling? Would the typical user know what to do in the event of an incident?
Do personnel understand that they should report a security incident or
security weakness as soon as possible to the appropriate individuals?
Guidance:
Awareness training is important considering that personnel
need to react quickly if there is an incident. Employees need to have a good
idea of what steps to take in the event of an incident. Note that all personnel
do not have to go through the same level of awareness training. The major-
ity of personnel need to know how to report an incident and then essential-
ly what they should not do,
e.g., speak with the press, tamper with
evidence. Other groups, such as managers, executives, and any other indi-
viduals identified to have a more significant role in an incident, should go
through more detailed awareness training, which discusses all facets of in-
cident handling. Ideally, incident handling should be taught as part of an
orientation program for new hires. Existing employees should receive ap-
propriate refreshers periodically (e.g., annually, every two years) depend-
ing on changes to the business and employee turnover.
Risk:
Without awareness training, personnel may not know what to do in
the event of an incident. In the event of an incident, there can be several
negative consequences including:
• Evidence being corrupted
• Inappropriate communication with law enforcement or the press
• Increased time in recovering from the incident
Client Response:
AU1706_book.fm Page 352 Wednesday, July 28, 2004 11:06 AM
353
3. Does the incident handling policy document specific roles and responsi-
bilities in reacting to a security incident?
Guidance:
Depending on the severity of the incident, the situation can be-
come chaotic. Clear roles and responsibilities enhance a company’s ability
to react in the event of an incident because personnel know what they need
to do. This assumes that personnel have been given the appropriate aware-
ness training. Some of the key responsibilities are handling the evidence,
communications, reporting, and a single point of contact who is overseeing
all aspects of the incident handling process.
Risk:
Without clear roles and responsibilities, a risk exists that the re-
sponse to an incident will be disorganized and inappropriate — e.g., mis-
handled evidence, inappropriate communications with the press or law
enforcement.
Client Response:
CLASSIFYING AN INCIDENT
4. If an incident handling policy is in place, does it provide guidance for
classifying the incident?
Guidance:
Once the incident is reported, the first step is classifying the in-
cident. The classification is critical because it will dictate what actions
need to be taken. If clients do not have a classification scheme, one should
be developed in collaboration with employees from key departments. As a
security practitioner conducting the security assessment, you can offer a
standard framework that can be used as a starting point in developing
a classification system. When deciding on classification, clients should
think in terms of severity, which is how the incident impacts the company.
Questions to guide the client in this process include:
• Does the incident affect the company’s ability to perform its core
operations — i.e., does the incident affect core systems or processes?
•Will law enforcement need to become involved?
• Can any potential bad press result from the incident?
• Can the incident have legal or regulatory ramifications?
Below are some examples of different severity levels that can be used as a
starting point in defining a classification system. This example is meant to
generate discussion leading to a classification system tailored for the com-
pany’s environment.
AU1706_book.fm Page 353 Wednesday, July 28, 2004 11:06 AM
354
A Practical Guide to Security Assessments
•Severity 1 — High priority
– Systems supporting core operations are affected, resulting in core
operations being down for an extended period; no reasonable
workarounds exist.
– Incident results in a majority of people in the company not being
able to do their jobs for an extended period.
–Investigators will be called in to examine evidence on affected
systems, so care must be taken to preserve it.
–A system with critical or sensitive data (e.g., research and develop-
ment [R&D] information, sensitive financial data) was compromised.
– The incident results in negative publicity — e.g., credit card num-
bers being stolen.
•Severity 2 — Medium priority
– Systems supporting core operations are affected, resulting in core
operations being down for an extended period; reasonable work-
arounds can be used.
– Support or back office operations (e.g., accounting, finance, human
resources) are not functional for an extended period.
–A specific department that does not perform core business functions
is not functional for an extended period.
– Minor theft of equipment has occurred.
–A noncritical system was compromised.
•Severity 3 — Low priority
– The incident has no immediate business impact.
–A small number of individuals are affected.
– The incident can be dealt with easily.
Risk:
Without a classification system, there is no consistent way to prior-
itize and react to security incidents. The risk is that the company might do
too much or too little when reacting.
Client Response:
REPORTING AN INCIDENT
5. Do personnel know to whom to report an incident once they become aware
of one?
Guidance:
This is the initial part of the process of handling a security in-
cident. Typically, personnel should report security incidents to either their
direct manager or some other designated person such as a security officer,
as documented in the incident handling process. It is important to note that
AU1706_book.fm Page 354 Wednesday, July 28, 2004 11:06 AM
355
the process should be role driven and not people driven (this is true for any
procedure developed) — i.e., if people are referenced in the procedure, the
procedure will require updates if that person leaves the company or changes
positions. Ideally, companies should have adequate backups in these roles.
Risk:
If personnel do not know whom they should go to when reporting an
incident, a risk exists that the incident will be reported too late, thereby in-
creasing its potential impact.
Client Response:
6. Are there specific senior level positions designated with the authority to
involve law enforcement if necessary and deal with the press?
Guidance:
Dealing with law enforcement or the press can be sensitive and
should be handled by qualified individuals. All personnel should under-
stand that there is a point of contact to deal with law enforcement and the
press, as there will be cases where either law enforcement or the press will
approach general personnel. As part of the awareness training, general per-
sonnel should be taught how to deal with these groups. Typically, general
personnel should refer them to the appropriate contacts inside the compa-
ny. The key thing to remember is that personnel are speaking on behalf of
the company and it is important that a consistent message be communicat-
ed. Therefore, any substantive communication should come from a central
source.
Risk:
Without a controlled method of communication, inconsistent and
potentially incorrect statements can be given to the public or law enforce-
ment, which could result in embarrassment or damage to the reputation of
the company.
Client Response:
7. Once an incident occurs, is there a person who is responsible for coor-
dinating the appropriate resources to investigate the incident?
Guidance:
This question speaks to the core process of handling an inci-
dent. One effective method of handling the aftermath of a severe security
incident is to have a specific role in charge of the response effort. The per-
son in this role should have a good knowledge of the company and be able
AU1706_book.fm Page 355 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.