Still on the subject of incident response, I was reading this article on the “Seven Steps To Follow When Data Leakage Strikes” as described by Experian’s CISO, James Christiansen. I’ve not met James but given his role and his organisation I’d certainly follow his advice on this subject. One item that particularly interested me was this one:
Offer a whistle-blower hotline or some other means for employees to confidentially report on suspicious or criminal activity that should be further investigated. Assign a code to each tipster’s name so that identities aren’t revealed. Nearly 70% of the time, insiders tip companies off to a problem, Christiansen says.
This is, in my opinion, inspired thinking and I wonder whether or not it has been successful and what sort of information has come out of it. James, if you are reading this (and according to the stats at least 3 people in America have done so today!) then let me know.
There’s some more good guidance on the CERT website at http://www.cert.org/csirts/Creating-A-CSIRT.html#1. This one begins by stating, rather obviously, that “without management approval and support, creating an effective incident response capability can be extremely difficult and problematic.” It’s an old, familiar message yet I still encounter technologists who believe that the business revolves around them and their ideas.
Finally, another interesting – if lightweight – article from Michael Gregg MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA (and also two associate degrees, a bachelors degree and a masters degree), the President of Superior Solutions. With those credentials and that company name then we’d better listen! Anyway, Michael’s article on incident response is here and I particular like item number 5. This is identification of what caused the problem in the first place. The post-event post mortem is important but I’d suggest not turning this into a witch-hunt with the objective of laying blame on individuals but to be critical of the processes behind the event occuring. The priority should be to ensure that further bad outcomes are mitigated.