Incident Response Plan – How do you determine an incident?

  • Team Omega
  • March 10, 2014

An obvious discovery of any malicious finding is an incident and immediate actions should take place to arrest and minimize effects.  However, there are incidents that fall into grey areas.  Any actual incident has implications such as legal, compliance, and other regulatory components.

A set of guidelines to classify the various incidents into major, minor, or immediate can help set into motion the response processes and teams to react to them.  Laying the groundwork for what is normal and expected versus what is abnormal is always a good start.

If there is a deviation from the norm that is caused by the IT group, an email to the group just to keep them informed is a good way to save some unnecessary hassles of changes.  On a bigger change or real incident it is best to keep stakeholders in the loop immediately.  The best response however comes from practice sessions; actually playing out the Incident Response Plan, have teams present and going through these sessions as often as needed but definitely at least one to two times a year.  This gives the stakeholders and response teams an exact idea of how to react quickly without looking for documents and trying to figure out who should do what.  Qualified Security Assessors always require the table-top exercise or samples of actual incidents and documentation of when, what and how they were dealt with.

Get Omega ATC’s help to put an Incident Response plan together.  A small step can keep your business ahead of the curve with reaction time and curtailing the disastrous after math of breaches.