How Do You Establish an Incident Response Capability?


Quick Answer

Incident response capability can be established by creating an expert team consisting of system administrators, IT security engineers, security auditors, financial auditors, public relations people and managers, says Sans.org. Such a team is commonly called a computer security incident response team or CSIRT.

Continue Reading
Related Videos

Full Answer

As stated by Sans.org, members of CSIRT can have other responsibilities and duties within the organization, as long as they can immediately drop or delegate whatever they are doing when an incident occurs. Upper management has to give CSIRT the required authority, funding and help in designing incident response procedures and protocols in advance so that the organization can be protected as much as possible from potential lawsuits, financial penalties or standard violations when responding to an incident.

For a prompt and proper response the CSIRT needs real-time data from intrusion detection systems, accurate log data, system and network performance data, network management data and information about any recent or ongoing changes to any IT system within CSIRT’s purview. CSIRT also needs access to historical data and logs in case they contain previously undetected signs of an attack. In addition, members of CSIRT have to be competent and experienced enough to interpret gathered data and prepare a proper response, says Schneier.com.

Learn more about Software

Related Questions