R: incident response - management approach

["Alessandro Bottonelli" <abottonelli () libero it>]

> We would like to set up a list of rules for incident response.
We just happen to be working on a project for that.

> Therefore I would to welcome any suggestions, links or articles
> what an organisation should do after a minor, medium or major
> incident has happened in a company (not only cyber-crime)?

No links, but some pearls of wisdom :-) after six months
into the project:

 - You need a risk assessment and a policy to define what is 
   a major, medium or minor incident.
 - You need to know that something has happened at all, so
   you need a monitoring activitity and a monitoring team.
 - You need to be "proactive" (as you suggest), so you need
   a team that continuosly tries to find vulnerabilities
   and exploits in your infrastructure and reports them
   to the organization in  structured manner.

> When to contact the law enforcement agencies:

 - A matter of policies again and of network/computer forensics
   "post mortem". High damages (whether in money or reputation)
   may be worth a report to the police, others may need just an
   internal investigation (if insiders are involved), others
   are not worth the aggravation ....

> ... Even incident response perhaps is partially a
> top management activity?
Most definitevely YES! There are responses that are top management
responsability (think of a major bank network under attack, only 
top management can be in the position to decide to "pull the plug
off" ... ).

-- 
Alessandro Bottonelli
Axis-Net, Italy
A.Bottonelli () axis-net it
abottonelli () libero it