After preparing numerous incident response teams and plans, may I make the following suggestions (which of course will be liked by some and not by others): Incident Response does not have to be a HUGE project. Think of it as a process and a workflow. How do I get notified, who gets notified, when do they get notified, how are things evaluated, what kind of response, what kind of reporting, am I doing this forensically (and am I trained to do so), are we preparing for LEO or not?, post mortem. This can be accomplished in less than 5-10 pages - with flowcharts. It must be easy for your people to pick up and understand immediately. If it is a 100 page manual, it is unworkable. Might I suggest, that in the WHAT KIND OF RESPONSE/HOW DO I INVESTIGATE sections, that you have separate areas that you have listed below as suggestions on how to proceed. If you right anything likethat in stone and it goes to court, that's discovery and can be used against you if you didn't follow it to the letter. So I would call those GUIDELINES or somehting similar. If you would like asample of something I've done. E-mail me offline and I will send it to you Monday. I'm leaving for the day. > -----Original Message----- > From: John Smithson [mailto:why1234at_private] > Sent: Friday, December 27, 2002 11:42 AM > To: security-basics@security-focus.com; forensicsat_private > Subject: Incident Response Guidelines > > > Hello, > > I'm about to start huge documentation phase on creating > Incident Response > Guidelines / Handling - including creating the structure, > creating the > Incident Response Team, documenting the guidelines per > incidents - such as > web server hacked, DOS attack, Virus Outbreak > > I need your help on pointing me to few good documents / > books. Obviously, I > have googled, and found good info. However, I may be missing > some good > information that you gurus have collected over time. > > Please any help would be greatly appreciated. > > Thanks, > > John Smithson > > > > > > _________________________________________________________________ > MSN 8 limited-time offer: Join now and get 3 months FREE*. > http://join.msn.com/?page=dept/dialup&xAPID=42&PS=47575&PI=732 4&DI=7474&SU= http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_newmsn8ishe re_3mf ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. ********************************************************************** ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Dec 29 2002 - 10:47:02 PST