Monday, March 5, 2007

Don't Panic!

Network World's recent article on keeping your senior management calm during an emergency rang true to me. In major security events in which I've been involved, communication with managers and senior staff was absolutely critical. In many cases, the CIO will become personally involved in an incident, and may request that you break your normal incident response practices to keep him informed. At other times, fighting rumors may take almost as much time as the incident itself does.

Dealing with incidents large and small led to a few basic observations that can help you weather the storm.

Things to do ahead of time:
1. Create a written process.
2. Establish clear lines of communication.
3. Make sure your CIO and others know when and why you will get them involved.
4. Establish who has a need to know, and how to do rumor control.
5. Make sure to have an emergency contact and communications plan.

During an incident:
1. Follow a written process.
2. Communicate early, clearly, and often.
3. Do not speculate - only communicate facts, even if the fact is "we do not know".
4. Avoid blame - the goal is to handle the incident, not to pin it on some person, department, or policy.
5. Make sure that those effected are communicated with appropriately. Observe "need to know" as appropriate, but realize that anything that you release is likely to travel far more widely than anticipated.

After an incident:
1. Write up a post-incident report. Note failures in the response plan, and work to fix them.
2. Communicate with those effected and those who may be effected by similar incidents.
3. Use data from the incident to assess other risks of a similar nature.

While you're thinking about handling incidents, check out the NIST guide to handling computer security incidents.

No comments: