700    Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery

             taken, and who will be responsible for investigating and dealing with problems.
             Without one, significant time may be lost trying to decide what to do and how to
             do it.
                 Incidents can be any number of adverse events affecting a network or computer
             system or violations of existing policy.They can include, but are not limited to:
             unauthorized access, denial or disruptions of service, viruses, unauthorized changes
             to systems or data, critical system failures, or attempts to breach the policies and/or
             security of an organization. Since few companies have the exact same services,
             hardware, software, and security needs, the types of incidents an organization may
             face will often vary from business to business.
                 A good incident response policy outlines who is responsible for specific tasks
             when a crisis occurs. It will include such information as:

                  ■   Who will investigate or analyze incidents to determine how they occurred
                      and what problems are faced because of it
                  ■   Which individuals or departments are to fix particular problems and
                      restore the system to a secure state

                  ■   How certain incidents are to be handled, and references to other docu-
                      mentation

                 Including such information in the incident response policy ensures that the
             right person is assigned to a particular task. For example, if the Webmaster was
             responsible for firewall issues and the network administrator performed backups of
             data, you would assign them tasks relating to their responsibilities in the incident
             response policy. Determining who should respond and deal with specific incidents
             allows you to restore the system to a secure state more quickly and effectively.
                 Incident response policies should also provide information on how to deal with
             problems when they occur, or provide references to procedures.As mentioned ear-
             lier, procedures should be clearly defined so that there is no confusion as to how to
             deal with an incident. Once an incident has been dealt with, the Incident Response
             Team should determine ways to ensure the same incident will not happen again.
             Simply resolving the crisis but not changing security methods increases the likeli-
             hood that the same incident may occur again in the exact same manner.Taking a
             proactive approach to future incidents decreases the chance of recurring problems.










          www.syngress.com