18.2. Take Notes and Gather Evidence
The note-taking process should begin as soon as a problem is noticed. Because computer files can be altered, or deleted, by an attacker, the notes should be written on paper. The preferred method for this is a shared logbook reserved for security incidents.
It may not always be possible to use a shared logbook, especially in cases where technical staff is not onsite 24x7. A central logbook should still be maintained, and notes taken during a security incident should be transcribed to the logbook. This centralizes the process, making it easier to track down information in the future.
Logging of information is important because it demonstrates that the proper security procedures were followed. Logging is also ...
Get The Practice of Network Security: Deployment Strategies for Production Environments now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
