Incident response plans avert disaster and make breaches 'temporary inconvenience'

IT security breaches are inevitable but proper incident response can restrict a potential disaster to little more than a...

IT security breaches are inevitable but proper incident response can restrict a potential disaster to little more than a temporary inconvenience, according to security specialist Ross Patel.

Patel, security services director at consultancy Afentis and co-ordinator of the annual BCS Birmingham IT Security Conference, said government research showed that 74% of UK companies suffered a security incident in 2003, and firms are becoming more pessimistic about security incidents.

"The growing number of security breaches calls for a well structured and rehearsed process for managing incidents so that if the worst happens steps are in place to turn what would be a major disaster into an inconvenience," Patel said.

According to Patel, security incident management has six phases:


Preparation must be fully backed by senior management, who are the sponsors of the risk assessment and have ultimate responsibility for managing corporate risk.

Preparation includes developing an incident response team - a group of specialists with the necessary skills, experience and resources. The team should develop a command and control centre and formalise the process for responding to queries and incident alerts. This process must be communicated to all necessary parties. Dry runs should be carried out to test the ability to respond.


Determining that an incident has occurred is the identification part of security incident management. The incident response team leader will usually assume responsibility for the incident and the team will start by collating all available information and classifying the current and potential impact from legal, operational, financial and reputation perspectives.

The team should maintain a strict chain of custody and control of all potential evidence for possible criminal proceedings.


The containment phase aims to limit the incident's scope. The response team should assume control, quickly securing the area and infrastructure to allow a considered assessment of the risk to continuing operations. A crucial part of this stage is liaison with system owners, internal and external customers, administrators and other interested parties, ensuring that they are informed as appropriate and understand that action is being taken.


Eradication follows swiftly from containment and is geared towards identifying and mitigating the root causes of the incident.

Incident "debris" should be removed and a decision taken on whether to attempt to sanitise the affected systems or rebuild them using trusted back-ups. Any action should take into account new security countermeasures developed from lessons learnt from the incident to eliminate any residual exposure to the threat.


The recovery stage takes the systems and processes back to an operational state after their integrity has been validated.


Follow-up is vital, Patel said. It gives an opportunity to review the entire incident and identify learning points and areas of concern that can be fed back into the preparation process to enable more effective management of the next incident.

The follow-up stage involves meetings with all parties concerned with the incident to tease out what was considered successful and which areas of the activity need closer review for improvement.

A follow-up report should outline all actions taken and lessons learnt. An executive summary should be circulated to management and approved changes to the incident response strategy should be integrated into the incident management framework.

Patel said, "Incident management strategy needs investment in terms of staff and other resources, but it must be viewed as a critical measure for securing the long-term future for the business.

"A poorly thought out strategy creates a false sense of security. When disaster strikes it may be discovered too late, or responded to poorly. Organisations must prepare today for tomorrow's incidents."

Read more on Hackers and cybercrime prevention