Incident response policy - Essay Example

Incident response policy for Gem Infosys Incident response policy for Gem Infosys Introduction In the existing IT environment, incidents are common and appropriate measures should be taken to tackle them. When Incidents occur it proves much costly to an organization. Proper incident response should be an integral part of your overall security policy and risk mitigation strategy.There are clearly direct benefits in responding to security and other incidents. However, there might also be indirect financial benefits.

For a software company like Gem Infosys, a formal incident response plan might help win business, because it shows that you take seriously the process of good information security.This document will provide you with a recommended process and procedures to use when responding to incidents identified in a small- to medium-based network environment such as Gem Infosys. The value of forming a security incident response team with explicit team member roles is explained, as well as how to define a disaster recovery process and business continuity plan.

Development of Incident Response Team (IRT)The IRT is the focal point for dealing with computer security incidents in your environment. The team should consist of a group of people with responsibilities for dealing with any incident. The responsibilities of IRT team:Monitor systems for network breaches.Serve as a central communication point, both to receive reports of security incidents and to disseminate vital information to appropriate entities about the incident.Document and catalog network incidents.

Promote security awareness within the company to help prevent incidents from occurring in the organization.Support system and network auditing through processes such as vulnerability assessment and penetration testing.Learn about new vulnerabilities, malware, and attack strategies employed by attackers.Research new software patches.Analyze and develop new technologies for minimizing vulnerabilities and risks.Provide security consulting services.Continually hone and update current systems and procedures.

Establishing Team RolesThe IRT team consists of several key members.IRT Team Leader: The IRT must have an individual in charge of its activities. The IRT Team Leader will generally be responsible for the activities of the IRT and will coordinate reviews of its actions. This might lead to changes in polices and procedures for dealing with future incidents.IRT Incident Lead: In the event of an incident, one individual responsible for coordinating the response is assigned. The IRT Incident Lead has ownership of the particular incident or set of related security incidents.

IRT Incident Lead works as representative to the outside when an incident occursIRT Associate Members: Besides the core IRT team, you should have a number of specific individuals who handle and respond to particular incidents. Associate members will come from a variety of different departments in Gem Infosys. They should specialize in areas that are affected by security incidents but that are not dealt with directly by the core IRT. The following member can be appointed depending on the incident;IT Contact: - This member is primarily responsible for coordinating communication between the IRT Incident Lead and the rest of the IT group.

Legal Representative: - Apart from accidental virus attack, intruders may also launch attacks. Legal representative comes in to action in such incidents. This member is a lawyer who is very familiar with established incident response policies. The Legal Representative determines how to proceed during an incident with minimal legal liability and maximum ability to prosecute offenders.Public Relations Office: - Generally, this member is part of the public relations department and is responsible for protecting and promoting the image of the organization.

Management: - Depending on the particular incident, you might involve only departmental managers, or you might involve managers across the entire organization. Disaster recovery processTo be able to recover effectively from an incident, it is needed to determine how seriously the systems have been compromised. This will determine how to further avoid and minimize the risk, how to recover, how quickly and to whom that should communicate the incident.The initial steps that should be carried out in the recovery process Determine the nature of the incident (this might be different than the initial assessment suggests).

Determine the point of origin.Determine the incident is intentional or not. Was an attack is specifically directed at the organization to acquire specific information, or was it random.Identify the systems that have been compromised.Identify the files that have been accessed and determine the sensitivity of those files.To help determine the severity of the incident the following procedures should be practiced:Contact other members of the response team to inform them of the incident. Determine whether unauthorized hardware has been attached to the network or whether there are any signs of unauthorized access through the compromise of physical security controls.

Examine key groups (domain administrators, administrators, and so on) for unauthorized entries.Search for security assessment or exploitation software. Cracking utilities are often found on compromised systems during evidence gathering.Look for unauthorized processes or applications currently running or set to run using the startup folders or registry entries to identify the malware.Search for gaps in, or the absence of, system logs.Review intrusion detection system logs for signs of intrusion, which systems might have been affected, methods of attack, time and length of attack, and the overall extent of potential damage.

Compare systems to previously conducted file/system integrity checks. This enables you to identify additions, deletions, modifications, and permission and control modifications to the file system and registry. Search for sensitive data, such as credit card numbers and employee or customer data that might have been moved or hidden for future retrieval or modifications. Match the performance of suspected systems against their baseline performance levels. This of course presupposes that baselines have been created and properly updated.

By acting quickly to reduce the actual and potential effects of an attack can be a minor and a major one. 1. Protect classified and sensitive data. As part of your planning for incident response, you should clearly define which data is classified and which is sensitive. This will enable you to prioritize your responses in protecting the data.2. Protect other data, including proprietary, scientific, and managerial data. Other data in your environment might still be of great value. You should act to protect the most valuable data first before moving on to other, less useful, data.3. Protect hardware and software against attack.

 This includes protecting against loss or alteration of system files and physical damage to hardware. Where damaged systems can result in costly downtime.4. Minimize disruption of computing resources (including processes). Although uptime is very important in most environments, keeping systems up during an attack might result in greater problems later on. Business continuity planningThe BCP focuses on sustaining an organization’s business functions during and after a disruption. Three main activitiesThe recovery of the system will generally depend on the extent of the security breach.

It should be determined, whether the existing system can be restored while leaving intact as much as possible, or if it is necessary to completely rebuild the system.An incident could potentially corrupt data for many months prior to discovery. It is, therefore, very important that as part of your incident response process, you determine the duration of the incident. (File/system integrity software and intrusion detection systems can assist.) In some cases, the latest or even several prior backups might not be long enough to get to a clean state.

So regularly archive data backups in a secure off-line location are needed.When determining the damage to the organization, both direct and indirect costs should be considered. Incident damage and costs will be important evidence needed if you decide to pursue any legal action. These could include:Costs due to the loss of competitive edge from the release of proprietary or sensitive information.Labor costs to analyze the breaches, reinstall software, and recover data.Costs relating to system downtime (for example, lost employee productivity, lost sales, replacement of hardware, software, and other property).

Costs relating to repairing and possibly updating damaged or ineffective physical security measures (locks, walls, cages, and so on).Other consequential damages such as loss of reputation or customer trust.Once the documentation and recovery phases are complete, you should review the process thoroughly. Determine with your team which steps were executed successfully and which mistakes were made. In almost all cases, you will find some processes that need to be modified so you can better handle future incidents.

ConclusionIt true that, just because of the policy of the, organization the incidents can always be prevented. The purpose of this policy is to prevent and if some how it fails, then to minimize the damage as much as possible. In the case Gem Infosys having a long network downtime will always be costly since they are a software developing company. References Microsoft Coperation, (2010). Security and Updates. Retrived from http://technet.microsoft.com/en-us/library/