Day 1 - Preparation: Policies, Management Support, and User Awareness

Published: 2008-10-01
Last Updated: 2008-10-08 13:15:19 UTC
by Marcus Sachs (Version: 3)
1 comment(s)

October is Cyber Security Awareness Month and as we announced earlier we are going to use this month to solicit tips for proper incident handling. 

The SANS Institute teaches a six-step process:

1.  Preparation
2.  Identification
3.  Containment
4.  Eradication
5.  Recovery
6.  Lessons Learned

Preparation is the first step, and most of us know that if you are unprepared then it's nearly impossible to handle an incident property.  For the rest of this week we will focus on the elements of preparation.  To kick off the month, send us your ideas via the contact page on how you develop policies, how you engage management support, and how you raise user awareness.  We'll add the best ideas to this diary throughout the day.

Thanks and Happy Cyber Security Awareness Month!!


Craig sent us these thoughts:

I would like to suggest this:  Everyone knows an organization needs an Incident Response Plan that has management buy in, but how well written is your plan?  Do YOU have to be there for it to work?  I (being an engineer by education) do not consider myself a very good writer, so I was pleasantly surprised to hear that while I was on leave this past summer, an incident occurred and the organization was able to use the IRP totally and completely without my help.

I don't say that to brag, but it taught me something:  If I'm going to have a good impact and create something that lasts, I have to build it so it operates independently of me.  In a small org, that's one person deep at each position, it helps if policies and procedures aren't dependent on one person/position to succeed.


Handler Steve had these ideas:

I've recently had to define and create our incident response team.  We took a multitude of source media SANS (of course), NIST, CERT, and molded this into our policies and procedures for the IRT.  However, before all of that starts the first step has to be stakeholder management.  Without the right names on a piece of paper telling you can do IRT on behalf of your organisation, your as good as sunk on day 1.

So :
    1. Define who you are working for, and who you perform Incident response on behalf of, and who you don't!
    2. Work your way up the structure to find the best CxO's which cover what you define in 1, who want to sponsor your operation and educate them about incident response.
        a) get them all to sign a document  - your mission statement - which says you can perform Incident Response
        b) check out RFC 2350
        c) is important to ensure that these people are responsible for the RUN side of your IT, and not just the Information Security side. if they dont 100% align, either go higher, or get 2 to sign it.
    3. Define your policy for IR.
        The killers are:    
           -  HR policies in relation to IR
           -  Incident handling policies
           -  Information handling, so what needs to be encrypted, hows it sent, who to, and how, how long do you keep it, and how do you dispose of it when your finished
    4.  Announce yourself to the world.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: Awareness2008
1 comment(s)


Comment on Handler Steve's suggestions for formulating incident response. There are a whole lot of us (particularly in education) who are one man shops -- and many of us (like myself) who were pressed into IT / computers because we happened to know more than anyone else -- as much info / detail as can be provided would be a huge help-- im puzzling this out one incident at a time -- Nimda was my first -- YUCK!

Diary Archives