10.9. Incident Response Policies
Incident response policies dictate the steps that must be followed in the event of a suspected security incident. An incident may take a number of forms from data loss to system compromise so it is important to perform a risk analysis to determine your possible exposures and the escalation procedures you will follow in the event of a suspected breach. The diverse nature of security incidents make responses harder to document but it's a lot easier once you understand where potential risks exist.
The following occurrences may be considered as security incidents and clearly the ways in which they are handled are very different:
Lost or Stolen Data – If any equipment, storage media or paper documentation containing privileged, sensitive or confidential information goes missing, this should be considered a security incident (in fact the most common form thereof). Mitigating factors that would reduce the severity or level of risk would include encryption. If a thief or a corporate spy has a laptop full of company secrets but no way of retrieving them, this is clearly less of a risk. This is one advantage of token-based authentication. When a laptop is detected as lost or stolen, the token can be destroyed to ensure there is no further possibility of accessing the data.
Attempted Network Intrusion – Being under almost constant attack from the Internet is a fact of life. The types of attack vary but are most likely to be other compromised computers looking ...
Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
