Incident Handling and Response Capability: An IT Security Safeguard Part 2: Establishing the Capability

  • Written By: CISSP
  • Published: May 8 2002

Establishing the Capability

What are some of the steps an organization must accomplish to establish an Incident Handling and Response capability?

Most IT Security Teams realize they need an Incident Handling and Response capability. Some may already be on their way to building one internally using an internal expert or sending IT Security team members to a formal class. If funding allows, an outside source may be brought in to get the program running quickly and efficiently. Regardless of the means to accomplish this capability, there are three fundamental steps and associated documentation to build this capability.

Step One: Incident Handling and Response Policy

This policy contains a written description of the Incident Handling Mission Statement, the Incident Response Organization composition, roles and responsibilities, and the communication plan. The Incident Response Organization addresses the business support functions such as Human Resources, Customer Relations, Legal, Marketing, etc. as well as the IT functions. Defining roles expresses who has ownership of the process, how the support functions will be enlisted during the resolution of an incident and even alternates to fulfill those roles during absences.

Step Two: Incident Handling Procedures

Detailed documentation provides step-by-step guidance on what to do when responding to events/incidents, daily tasks for the Incident Handlers, and a procedure to follow for supporting forensics investigations. Since most organizations will not be responding to incidents on a daily basis, there is a need to appoint someone to review the security bulletins and quickly inform the IT department of any patches or fixes which apply to the organization's unique network infrastructure. The procedures should identify a task, assign a responsible individual and provide some description of the task. A communications plan provides a fluid process to notify the appropriate parties once an incident has been detected.

Step Three: Incident Handling Training

The core Incident Handling Team for the most part will consist of members with network engineer skills and some knowledge of system security. As a minimum, a basic understanding of computer security should be included in the process of standing-up the Incident Handling capability. Classroom training would be the preferred method as it allows for more information sharing among various levels of expertise. As for the education of those outside of the core Incident Handling Team, conduct a scenario-based exercise to determine if the Incident Handling and Response process is understand and can be realistically practiced. An exercise may also serve to educate the business functions on how and why they would be involved in responding to incidents.

This is Part 2 of a 2-part article on IT Security, details the necessary steps to establish an Incident Handling and Response Capability.
Part 1 discussed the technologies and programs an organization needs to benefit from this capability.

If You Choose a Security Consulting Firm

Companies that choose a security consulting firm to establish this capability should consider the following:

  • Expertise of the consultant: Ask for credentials and customer references
  • How will the consultant conduct discovery to build the capability?
    • Will there be interview sessions held, or will it only consist of filling in standard surveys
    • Is the consultant knowledgeable of industry regulations/requirements
    • Does the consultant include support functions such HR, Marketing and Public Relations as part of the Incident Handling Team
    • If the organization desires a more virtual Incident Handling Team, how will the consultant identify the appropriate resources and assign roles and responsibilities
  • How useful is the documentation, is it written to meet the customer's unique needs or is it more of a template. For example, if an action is required will the documentation go further and provide the organization a step-by-step process and assign responsible individuals to complete the task. If a report is required, will the procedures provide an example or is there merely a statement to complete a report with no example given.

What is the ROI?

What is the return on investment in establishing an Incident Handling and Response capability?

Numerous sources have produced statistics on the total number of computer security incidents reported. All show the level of increase is ghastly. If the number of reported incidents is high, the expectation is there is an even higher number of unreported/undetected incidents. Even if an organization has a state-of-the-art security architecture, elements of the architecture are detective and cannot take action to stop an intrusion, as is termed by many hackers. The void of how to react needs to be filled and can be accomplished in establishing an Incident Response plan.

A secondary benefit in establishing an Incident Handling and Response Team is to provide an internal focal point to monitor the overall system security status: this works hand-in-hand with the system operations function. The Incident Handling and Response Team should be the "steering committee" for the organization's security initiatives. CIOs have a plethora of vendors to choose from and many offer similar solutions. Care must be taken to ensure that the purchased solution is productive. This means it must be compatible with the company's unique network operations, and must not be so intensive to configure and monitor that it won't be maintained. The Incident Handling and Response Team can assist in making reasonable selections and recommendations based on the technology and business needs.

Keeping security incidents to a minimum is only part of the problem, keeping them from being exposed beyond those who have the need to know is yet another challenge. The Incident Handling and Response capability should be designed to safeguard the events/incidents from being exposed internally as well as externally and ensuring the discussion concerning breaches is kept to secure channels.

There isn't a concrete dollar figure to show the "Return On Investment" in establishing an Incident Response capability. As long as human intervention is part of network operations, there will always be vulnerabilities and an Incident Response capability establishes a force to minimize the effect of system security breaches.

This concludes Part 2 of a 2-part article on IT Security, details the necessary steps to establish an Incident Handling and Response Capability.
Part 1 discussed the technologies and programs an organization needs to benefit from this capability.

About the Author

Catherine Woodbury has more than five years' experience in network security consulting and almost 20 years total in the security field. Her experience includes working at the Air Force Intelligence Agency, where she was responsible for data analysis, critical reporting and dissemination of events related to military intelligence operations. She conducted job proficiency evaluations for personnel assigned to a 24-hour operations facility.

Woodbury has also worked as a contractor for the Defense Information Systems Agency as a member of the Regional CERT Implementation Team. The team was responsible for establishing the five Regional CERTs around the world for DISA. Since June 2000, she has been responsible for the Incident Handling and Response consulting service for AXENT Technologies and Symantec Corporation. She provides proposal development, project costing, project planning and client service delivery for the Incident Handling and Response service. Ms Woodbury can be reached at

For more information consult the Symantec web site:

comments powered by Disqus