3 Keys To A Successful Incident Response Plan

Nov 1, 2007 12:00 PM, BY DONNA ROSS

Relationships

In my experience, relationships are the most critical element of incident response planning. Business partners, IT support staff and other corporate support areas are your eyes and ears to alert you to an incident that has been or will be occurring, and they are a key element in your response plan and strategy.

• Corporate Security, Investigations and Fraud: Your investigation and security personnel are plugged in to events that are occurring 24/7 and should not be overlooked as a great resource and partner.

• Legal and Privacy: Legal and privacy staff are aware of ongoing investigations, litigation breaches and regulatory changes. Two-way communication with them can keep you abreast of the changing regulatory environment.

• End-users: Users who are educated in security topics, and who are given easy access to the security team to report anomalies are our greatest asset.

• Business unit leaders and staff: Business associates and management understand what intellectual property and other corporate assets have value. They are aware of current and future projects and their ranking. This information determines both the timing and level of response.

• Help Desk: The help desk folks are on the front line of defense in information security. They're your eyes and ears because they see most incidents first. Get to know these folks on a first name basis.

• Desktop Support: Like the Help Desk staff, desktop support is out in the field, working with end-users and support staff. They understand what is going on in your organization and what symptoms an incident portrays.

• IT Infrastructure: Data, network and server engineers and staff are another great resource that's constantly aware of what's going on in the organization.

Planning and testing

An incident response plan should consider the following key elements:

• Prevention Tools: Standards, CCTV, access controls, secure/hardened configurations, anti-virus, firewall, testing, patches, security updates, change management

• Proactive Threat Monitoring: Vulnerability and penetration testing, logging and monitoring, metrics and reporting, vendor management

• Incident Response Policy and Practices: Plan maintenance and testing, incident response team, post mortem and lessons learned, disaster recovery

Organizational and industry knowledge

Whether you are the chief security officer of a bank, an insurance company, a college or another organization, physical and information security officers and staff must understand the core business.

• What business is your company in?
• Who are the key players?
• What products or services do you offer?
• What are the key applications (software) in use?
• Who are your customers?
• What projects are in the pipeline?
• Who are your peers and competitors?

---

Donna Ross is risk and compliance manager for GMAC ResCap, where she has previously served as director of information, director of information security and manager of security and risk. Before joining GMAC, Ross worked at Prudential Insurance Company, where she held several positions, including information security manager. She has served as a member of numerous professional and charitable organizations or boards and holds certifications including the ISACA CISM and SANS GIAC Security Essentials Certification (GSEC). She is also a member of the Security Executive Council (www.csoexecutivecouncil.com/?sourceCode=access).

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue