RE: Incident Response Guidelines

["Robinson, Sonja" <SRobinson () HIPUSA com>]

After preparing numerous incident response teams and plans, may I make the
following suggestions (which of course will be liked by some and not by
others):

Incident Response does not have to be a HUGE project.  Think of it as a
process and a workflow.  How do I get notified, who gets notified, when do
they get notified, how are things evaluated, what kind of response, what
kind of reporting, am I doing this forensically (and am I trained to do so),
are we preparing for LEO or not?, post mortem.  

This can be accomplished in less than 5-10 pages - with flowcharts.  It must
be easy for your people to pick up and understand immediately.  If it is a
100 page manual, it is unworkable.  Might I suggest, that in the WHAT KIND
OF RESPONSE/HOW DO I INVESTIGATE sections, that you have separate areas that
you have listed below as suggestions on how to proceed.  If you right
anything likethat in stone and it goes to court, that's discovery and can be
used against you if you didn't follow it to the letter.  So I would call
those GUIDELINES or somehting similar.  

If you would like asample of something I've done. E-mail me offline and I
will send it to you Monday.  I'm leaving for the day.

> -----Original Message-----
> From: John Smithson [mailto:why1234 () hotmail com] 
> Sent: Friday, December 27, 2002 11:42 AM
> To: security-basics () security-focus com; forensics () securityfocus com
> Subject: Incident Response Guidelines
>
>
> Hello,
>
> I'm about to start huge documentation phase on creating 
> Incident Response 
> Guidelines / Handling - including creating the structure, 
> creating the 
> Incident Response Team, documenting the guidelines per 
> incidents - such as 
> web server hacked, DOS attack, Virus Outbreak
>
> I need your help on pointing me to few good documents / 
> books.  Obviously, I 
> have googled, and found good info.  However, I may be missing 
> some good 
> information that you gurus have collected over time.
>
> Please any help would be greatly appreciated.
>
> Thanks,
>
> John Smithson
>
>
>
>
>
> _________________________________________________________________
> MSN 8 limited-time offer: Join now and get 3 months FREE*. 
> http://join.msn.com/?page=dept/dialup&xAPID=42&PS=47575&PI=732
4&DI=7474&SU= 
http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_newmsn8ishe
re_3mf


**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or 
others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have 
received this communication in error, please notify the sender of the error immediately, do not read or use the 
communication in any manner, destroy all copies, and delete it from your system if the communication was sent via 
email. 




**********************************************************************