There are four primary responsibilities of security: Prevent, Deter, Detect, and Respond. We often focus much of our efforts on prevention and detection and neglect deterrence and response. In today’s post, I want to focus on the latter: how security professionals should respond to incidents and what they need to have in their “toolkit” to be ready when “it” hits the fan.
“Be prepared” is the boy scout motto. It should also be a motto for security. We never really know when something bad will occur. It’s usually at the worst possible time (see Murphy’s Law and its corollaries). It’s crucial that security professionals are ready for it and know what to do when “it” hits. The websites linked below provide great resources to help you be prepared for anything that comes your way. It includes procedures, templates, and forms that you can use in your security program so you are ready.
Security should have plans and checklists ready to use when there’s an incident. This is for both physical and IT incidents. That way they don’t miss any critical element. I’ve also seen that checklists help in these situations to reduce the impact of any emotions that occur in high stress situations.
- SANS SCORE(Security Consensus Operational Readiness Evaluation) – http://www.sans.org/score/incidentforms/
- U.S. Security Awareness – http://www.ussecurityawareness.org/highres/incident-response.html
My second law of incident response is “Don’t Panic, ” which is also the first line in the Hitchhiker’s Guide to the Galaxy. It works for security as well. It’s important to respond to problems rather than react. Response is positive while reaction is negative and is often associated with panic. We react without thinking leading to mistakes. If you are prepared, then your poised to respond in a positive manner. Think even for a second before you act. Use your resources and respond.
Albert Einstein sums it up best, ” You can never solve a problem on the level on which it was created.”
Please feel free to comment on your ideas and suggestions to improve incident response.