Incident Management has the following steps:
- Detection - automated using tools such as Intrusion Prevention and Detection software, anti malware tools, automated log audits or users detect anomalies etc.
- Response - engage Computer Security or Computer Incident Response Team (CIRT or CSIRT). A formal engagement method should be in place. CSIRT are trained to do what is required and will be engaged in this and the next steps.
- Mitigation - contain the incident, limit the impact and so on.
- Reporting - internal, e.g. a serious incident needs to be reported to CEO and if customer info leaked to certain authorities within a mandated time-frame.
- Recovery - bring the system back to a fully functional state, may require rebuilding, patching, configuring ACLs etc.
- Remediation - Root Cause Analysis and taking steps to prevent in future.
- Lessons Learned
One can use the acronym DRMRRRL(Drums Roll) if that makes it easier to remember!
No comments:
Post a Comment