Writing an Incident Handling and Recovery Plan

1. Definitions
   1. Incidents - What constitutes an incident?
      • Classification - What type of incident has occurred? Explain each category below.
        • Loss of confidentiality of information
        • Compromise of integrity of information
        • Denial of Service
        • Misuse of Service
        • Damage to Systems
      • Priority and Urgency - Identify the response level of effort (LoE) for a given type of incident. These may be reordered to suit the organizations needs.
        • Threats to the physical safety of human beings
        • Root or system level attacks to any host or system
        • Compromise of restricted confidential service accounts or software areas
        • Denial of service attacks to infrastructure, confidential service accounts or software areas
        • Any of the above at other sites which originate from the organization’s systems
        • Large scale attacks of any kind (worms, sniffing attacks, etc)
        • Threats, harassment, or criminal offenses involving individual user accounts
        • Compromise of individual user accounts
        • Compromise of desktop systems
        • Forgery, misrepresentation, or misuse of resources
   2. Incident Response Team (IRT) - Who will respond to the incident?
      • Mission Statement - Why does the team exist and what is its purpose?
      • Roles and Members - Who should be on the team?
        • Leader - Primary coordinator and point of contact
        • Management Sponsor - Lends authority to help minimize "red tape" barriers
        • Systems Engineer - Responsible for affected systems
        • Network Engineer - Responsible for affected networks
        • Public Relations Advisory - Interfaces with the public as necessary
        • Legal Advisory - Provides advice for differing legal courses of action
2. Incident Handling Process
   • Determine if an incident has occurred - Some activities may not warrant IRT action
     • Contact the IRT Leader
     • If the IRT is to be activated, the Leader documents the discovery
   • Contain the Incident - Prevent problems with affected areas from spreading
     • Identify and isolate the area under investigation
     • Notify law enforcement personnel and legal advisory if applicable
     • Notify Public relations advisory if necessary
     • Document containment information
   • Eradicate the Incident - Put an end to whatever caused the incident
     • Gather evidence
     • Identify the source of the incident
     • Determine the full extent of the incident
     • Implement stopgap measures to eliminate any active threats
     • Update documentation with eradication information
3. Recovery Process and Follow-Up
   • Assess damages - Determine the impact of the incident to the organization
     • Identify the affected systems and networks
     • Identify the affected data
     • Identify possible courses of remediation
   • Reverse damages if possible - Minimize the costs, both tangible and intangible, associated with the incident
     • Restore affected data from backup
     • If necessary Public Relations Advisory establishes a plan to customer and public faith
   • Nullify the source of the incident - Prevent recurrence of the same incident
     • Patch any open vulnerabilities
     • Improve access restrictions to the affected areas
     • Further remediation as necessary
   • Review the Incident - Learn from the mistakes
     • Determine why the incident was able to occur
     • Determine if the appropriate safeguards are in place to prevent recurrence
     • Determine the risk level of similar incidents to other information assets
   • Review the Incident Handling Plan - Adapt and increase efficiency in the response process
     • Validate that the incident handling and response plan was appropriate
     • Modify the incident handling and response plan with new insight gained
   • Documentation - Keep tidy records, as they will almost certainly be needed again
     • Create final documentation of the incident in an appropriate level of detail
     • Perform de-briefings of the IRT, if necessary
   • Reporting - Assist others in disaster aversion
     • If necessary, report the incident to industry regulation boards
4. Incident Examples - Description of the plan in action will help all parties to fully understand the plan
   • Physical Security Breach - Describe how the plan would be applied during a physical security breach
   • External Network Breach - Describe how the plan would be applied during an external breach
   • Internal Network Misappropriation - Describe how the plan would be applied to misuse of resources
5. Appendix
   • Table of Contact Information for IRT Team members
   • Flow diagram of the incident handling process

Source: Help Net Security