NO MATTER HOW WELL YOUR DATA is protected, eventually there will be an incident. That incident could be a breach of your system security, an authorized user inadvertently damaging data, or a natural disaster. It could be the result of an operating system vulnerability or a host of problems outside your control. The fact is that no security program can be 100% effective, as much as we might wish it. Thus, it is critical to have incident response policies to deal with incidents that will inevitably occur. What is certain is that at some point, most organizations will have to respond to a security incident. The speed and effectiveness of the response will limit the damage and reduce any losses. When an incident occurs, an organization needs to respond quickly through a well-thought-out process. An effective response can control the costs and consequences resulting from the incident.

In addition to major incidents, there is the routine response to less substantial incidents. Fortunately, responding to routine security events does not typically rise to the level of a recovery event. However, security events do have the potential to create outages that require activation of a business continuity plan. Whether this activation is due to a security event or natural disaster, security response teams need to be aware of how recovery plans are built and executed.

Well-prepared organizations create an incident response team (IRT). This team and its supporting policies ensure that an incident is quickly identified and contained. It’s also the IRT’s responsibility to perform a careful analysis of the cause of the incident. Understanding the nature of an incident can help prevent future attacks. An IRT is the first responder to major security incidents within an organization. It’s not unusual for an attack to be active when the team responds. To ensure the IRT members are effective at what they do, the organization needs to provide the policies, tools, and training necessary for their success.

This chapter will focus on the incident response team. It will define an incident and related policies. It will discuss how to create an IRT and the various roles and responsibilities within an IRT. The chapter will examine key activities that are performed during an incident. It will also discuss specific policies and procedures ranging from reporting and containing to analyzing an incident. Additionally, this chapter will look at key aspects and documents related to disaster recovery and business continuity. This understanding is high level and foundational in the event a security incident triggers the activation of a recovery plan. Finally, the chapter will review best practices and explore some case studies.