Procedures can be either a roadmap or set of guidelines. In particular, they need to govern how an incident is to be handled at a very high level -- and should be ingrained in all members of the response organization as the rules to follow during an incident. Procedures are also necessary to describe how to handle various incidents -- viruses, network intrusions, denial of services, and so forth. Given that procedures are written before an incident and have been reviewed by key players (e.g., Legal) it’s imperative they be followed during an incident to insure that approved processes are followed, especially if you’re bringing a case to court -- it’s absolutely essential that computer evidence be handled in accordance with established, legally admissible procedures. Procedures must allow responders to adapt to certain situations -- but such adaptations must be documented and kept to a minimum!

To illustrate, our company was once the victim of a DDoS attack from a California Internet Service Provider (ISP). We enjoyed a strong working relationship with the ISP’s Chief Technology Officer, who was more than helpful in assisting in the incident response process. Although the California company did not have a robust security ...