Incident Response Pre Planning Return On Investment
I had an interesting conversation the other day with a good friend regarding the merits of having specific incident response plans for common types of incidents.  My argument was (is) that by having plans for specific types of incidents thought out in advance and pre-planned (mail server DoS for example) you can recover from the incident much faster and lessen the impact of the incident.  His counter argument was that writing all those plans and getting them approved is too much work to justify the small amount of time he says would be saved in recovery.  After all, you know what you're going to do, right?
What do you think?  Is it a small amount of time?  Does it depend on the size of the organization?  The value of the asset?  What criteria do you use to determine what specific scenarios you have written plans for?
Christopher Carboni - Handler On Duty
 
              
Comments
So the question really becomes, "what will protect against the most loss, writing out response plans for specific incidents, or just responding to the incident and using the time you would be writing out those plans to do other security activities?"
My guess is that for those companies with a small IT security staff the answer would be to "just respond".
However, if you have a system where the setup is large and complicated, it may well be worth it to have the incident response plan to quickly identify and respond to the incident.
It is a case where each system needs to have an analysis of the merits of having a specific, written response plan.
Nathan Christiansen
Sep 2nd 2009
1 decade ago
David Brodbeck
Sep 3rd 2009
1 decade ago
Jim Kelly
Sep 3rd 2009
1 decade ago
There is at least one example of a standard (the PCI-DSS requirements 12.9.1 and 12.9.5) that requires specific incident pre-planning.
Certainly, each organisation must assess the value of burning scarce resources in doing such pre-planning.
One example where it proved worthwhile is back in the early days of phishing - I was working for an organisation highly likely to be phished - so the security team sat down together and formulated a plan. We figured out what we could do, how we could do it and who needed to be involved (marketing, fraud, the e-commerce team etc). Buy-in to the plan was obtained by all (after a few tweaks of course) and when the first phishing attack hit it was handled swiftly and without fuss or major disruption. No quarrels, no fuss, just dealt with.
Don' think of it as just incident response either - it is team-building (because you are brainstorming ideas with the team), it serves as a form of internal training for younger security team members, builds communication between teams within the organisation and gets them thinking about security. And of course, not forgetting the ability to respond to an incident quickly. and to minimise the impact (isn't that why fire-fighters practice a range of firefighting and rescue techniques? Regularly?)
fosm
Sep 3rd 2009
1 decade ago
You have to assume that there will come a time when getting the computers up and running will not happen immediately. Those include a viral infection on the network that would make it impossible and other conditions like floods, severed fibers, etc.
Several Hospitals in Great Britain have had these situations occur recently and know exactly what must be done to continue work. It is also required by most US State Governments to have a plan for all systems down that works. It usually includes a lot of legwork and paper trails.
This mindset needs to be implemented in any organization, even if their primary focus is Internet-based applications. Sometimes the keyboard needs to be replaced :-)
so, in conclusion, yes you do need a recovery plan, but not the type you are thinking about!
-Al
Al Thiel or YourDataCenter.com
Sep 3rd 2009
1 decade ago
BCP/DR must be planned to be effective. Plan your work and work your plan.
Mike
Sep 4th 2009
1 decade ago