Every enterprise must be
prepared to confront an incident that threatens, may threaten or has threatened
security, privacy or the general operations of the company or its customers.
Incident Response and Crisis Handling is the area of expertise and specialty
that puts in place the processes required to prevent an incident from becoming a
crisis; an Incident Response Team (IRT) is the active operational element that
handles incidents. An IRT provides the enterprise with a measurable return on
Take control to reduce compromise and loss.
An IRT is a multifaceted, multitalented group of individuals specially trained
and equipped to respond quickly and effectively to emergencies – they provide
the first reaction to an incident.Their
immediate goal is to take control of a situation in order to contain the scope
of the compromise or breach.
respond to emergencies or incidents. Such incidents might be characterized as
any unwanted or, in some cases, unexplained behavior.An incident does not always indicate something unwanted; it
also can be something that is merely unexplained or out of the ordinary.Response not
only acts to defend, or to fight back, or prevent further damage, but also to
discover more information or to verify facts – in essence, it is part
investigation and part education.
An alarm is not
useful if nobody hears it.
If locks, checks
and balances, and other preventive measures were foolproof, incident response
would be unnecessary.Banks put
huge vault doors, time locks, and other seemingly impenetrable defenses into
their buildings, but they recognize that these measures cannot be 100%
effective. Consequently, they also install alarm systems.Alarm systems detect when one of the defensive barriers has been
breached, but that knowledge is of little value if no one hears the alarm or, if
having heard the alarm, there is no clear response.
Establishing an Incident Response Team is a complex process that
must be given careful thought and be based on comprehensive planning. Moreover,
the IRT should be built with an enterprise-wide, cross-discipline perspective.
Specifically, the IRT must be built in coordination with the functions of
Contingency & Continuation Planning and with Disaster Recovery Planning.
When all three of these response and protection capabilities are developed
together then true Incident Management takes flight.
The overarching goal:
Minimize damage and restore functions quickly.
The overarching goal of responding to an incident should always
be to prevent further damage and to restore functions to normal as expeditiously
as possible, consistent with organizational policies.A clear, written mission and charter establishing the team is essential
to achieving this goal as well as to the clear presentation of ROI. The mission
and charter should establish why the team exists and what the organization
expects from the team. Without a clear definition of mission and an idea of what
can be expected from the team, internal cooperation and support for the team
will be difficult to obtain and even more difficult to sustain.
The makeup of the team has everything to do with how effective
and responsive it will be in an emergency.Careful selection of team members at the outset will provide for an
effective, cohesive group with the right skills, authority, and knowledge to
properly deal with a range of known and unknown incidents.
is as important as technical knowledge.
While technical ability is essential to an effective team, this
should not be the overriding characteristic. Exceptional communications skills
are critical because, in an emergency, quick and accurate communications
internally and externally are necessary. Inaccurate communications can cause the
emergency to appear more serious than it is and therefore escalate a minor event
into a crisis.