Security Basics mailing list archives
RE: Incident Response Guidelines
From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Fri, 27 Dec 2002 14:33:25 -0500
After preparing numerous incident response teams and plans, may I make the following suggestions (which of course will be liked by some and not by others): Incident Response does not have to be a HUGE project. Think of it as a process and a workflow. How do I get notified, who gets notified, when do they get notified, how are things evaluated, what kind of response, what kind of reporting, am I doing this forensically (and am I trained to do so), are we preparing for LEO or not?, post mortem. This can be accomplished in less than 5-10 pages - with flowcharts. It must be easy for your people to pick up and understand immediately. If it is a 100 page manual, it is unworkable. Might I suggest, that in the WHAT KIND OF RESPONSE/HOW DO I INVESTIGATE sections, that you have separate areas that you have listed below as suggestions on how to proceed. If you right anything likethat in stone and it goes to court, that's discovery and can be used against you if you didn't follow it to the letter. So I would call those GUIDELINES or somehting similar. If you would like asample of something I've done. E-mail me offline and I will send it to you Monday. I'm leaving for the day.
-----Original Message----- From: John Smithson [mailto:why1234 () hotmail com] Sent: Friday, December 27, 2002 11:42 AM To: security-basics () security-focus com; forensics () securityfocus com Subject: Incident Response Guidelines Hello, I'm about to start huge documentation phase on creating Incident Response Guidelines / Handling - including creating the structure, creating the Incident Response Team, documenting the guidelines per incidents - such as web server hacked, DOS attack, Virus Outbreak I need your help on pointing me to few good documents / books. Obviously, I have googled, and found good info. However, I may be missing some good information that you gurus have collected over time. Please any help would be greatly appreciated. Thanks, John Smithson _________________________________________________________________ MSN 8 limited-time offer: Join now and get 3 months FREE*. http://join.msn.com/?page=dept/dialup&xAPID=42&PS=47575&PI=732
4&DI=7474&SU= http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_newmsn8ishe re_3mf ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. **********************************************************************
Current thread:
- Incident Response Guidelines John Smithson (Dec 27)
- Re: Incident Response Guidelines C. Henderson (Dec 30)
- Re: Incident Response Guidelines Gene (Dec 30)
- Re: Incident Response Guidelines Luis Enrique Londono (Dec 30)
- RE: Incident Response Guidelines Ayers, Diane (Dec 30)
- Re: Incident Response Guidelines frame (Dec 30)
- <Possible follow-ups>
- RE: Incident Response Guidelines Robinson, Sonja (Dec 30)
- Incident Response Guidelines John Smithson (Dec 30)
- RE: Incident Response Guidelines DeGennaro, Gregory (Dec 31)
- RE: Incident Response Guidelines Rosado, Rafael (Rafael) (Dec 31)
- RE: Incident Response Guidelines Robinson, Sonja (Dec 31)
- RE: Incident Response Guidelines Scott Schwendinger (Dec 31)