352
A Practical Guide to Security Assessments
program. In addition, the policy should be easily accessible to all employees
so they can refer to it as necessary (for example, on a company intranet site).
Risk:
Without a documented policy, employees will potentially not know
what to do in the event of a security incident. They may not follow a struc-
tured and consistent approach to incident handling. A risk exists that secu-
rity incidents will not be handled properly, which can result in a range of
consequences, as discussed later in this questionnaire. In addition, if no
policy exists, there is no basis for enforcing the proper actions that should
be taken when there is an incident.
Client Response:
2. Does the organization provide any awareness training for incident han-
dling? Would the typical user know what to do in the event of an incident?
Do personnel understand that they should report a security incident or
security weakness as soon as possible to the appropriate individuals?
Guidance:
Awareness training is important considering that personnel
need to react quickly if there is an incident. Employees need to have a good
idea of what steps to take in the event of an incident. Note that all personnel
do not have to go through the same level of awareness training. The major-
ity of personnel need to know how to report an incident and then essential-
ly what they should not do,
e.g., speak with the press, tamper with
evidence. Other groups, such as managers, executives, and any other indi-
viduals identified to have a more significant role in an incident, should go
through more detailed awareness training, which discusses all facets of in-
cident handling. Ideally, incident handling should be taught as part of an
orientation program for new hires. Existing employees should receive ap-
propriate refreshers periodically (e.g., annually, every two years) depend-
ing on changes to the business and employee turnover.
Risk:
Without awareness training, personnel may not know what to do in
the event of an incident. In the event of an incident, there can be several
negative consequences including:
• Evidence being corrupted
• Inappropriate communication with law enforcement or the press
• Increased time in recovering from the incident
Client Response:
AU1706_book.fm Page 352 Wednesday, July 28, 2004 11:06 AM