Handling incidents and investigations is an important discipline within security management. If incidents are handled efficiently, the information system environment can benefit from the experience. To handle incidents professionally, it is crucial that the process of responding to incidents and conducting investigations be carefully thought out and planned. The quality of your organization’s response to incidents directly relates to the quality of its planning.

Although all organizations have different structures and needs, many goals and general procedures in the incident response process are standard. Organizations have collectively kept the practices that work and discarded the ones that have not. Here is a general list of best practices for handling incidents and investigations:

• Harden OS and software to avoid incidents.

• Assess computers periodically to expose vulnerabilities, potentially including penetration testing.

• Validate BCPs and DRPs.

• Get full management support for a CSIRT.

• Create a CSIRT.

• Conduct a risk assessment to identify potential incidents that require attention first.

• Develop an incident response plan around the six steps to handling incidents.

• Create an incident reporting form and procedures.

• Distribute and publicize the incident reporting form and procedures.

• Test the incident response plan before attackers do.

• Identify and acquire incident management software.

• Identify and acquire incident investigation software.

• Train key CSIRT members on proper evidence collection and handling.

These best practices are the starting point for your incident response plan. Begin with these guidelines and develop a complete plan that works for your organization to conduct effective and efficient incident response activities.