Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
Like this article? We recommend

Computer Security Incident Response Policy

Every organization has, or claims to have, a security policy that embraces all security aspects, ranging from locks on doors to backups, passwords, firewalls, encryption, security incidents, and more. This article discusses only those aspects of best practices that apply to the security incidents at an organization's customer sites.

The computer security incident response policy (CSIRP) should be an integral part of the organization's overall security policy. CSIRP primarily addresses the responsibilities of the CSIRT and VCSIRT in the organization's infrastructure. It should also address the following items in regard to a security incident:

  • Preparing and planning for handling an incident

  • Setting of clear priorities

  • Notifying of an incident

  • Identifying an incident

  • Handling of an incident

  • Executing of a response to an incident

  • Determining of the implications of past incidents

  • Recording and preserving the analysis of past incidents and learned lessons

The primary benefits of defining and maintaining an SIRP are:

  • Recovery from loss or potential loss

  • Resource optimization within the organization, its customer, partners, or vendors, including suppliers

  • Protection of classified, sensitive, or proprietary information that belongs to the organization, its customer, partners, or vendors, including suppliers

  • Management of public relations under a security crisis that could affect the organization, its parent enterprise, its customer, partners, or vendors, including suppliers

  • Prevention of legal actions against the organization and its parent enterprise

While developing the policy, it is important to keep in perspective the information security principles defined by the International Information Security Foundation as best practices (for more information, see the GASSP entry in "References" on page page 23).

Scope of the Policy

Developing and defining the scope of the policy requires careful analysis with risks and responsibilities taken into account. This section provides a specific example of how the scope can be defined for an organization's CSIRP. It is important to note that the rest of this article, and the next article, addresses the essential policy aspects within this scope.

The policy typically applies to the use of enterprise-owned, hosted, rented, or leased computers or computer-based equipment, network equipment, operating systems, and application software, which compose the organization's processing environment. The policy also applies to the organization's or its parent enterprise's entire family of products and services at the customer site. Further, the policy applies to the organization's, its vendors', and partner's facilities and systems in customer's facilities that are owned or managed by the enterprise, its vendors, suppliers, or partners. The following entities and users should be covered by this policy:

  • Full or part-time employees and contractors within the enterprise who use or access data, systems, or networks

  • Vendors who are authorized to use enterprise-owned equipment, systems, applications, or facilities

  • Authorized persons, entities, or customers who have access to the organization's or enterprise's services, facilities, systems, or applications

  • External partners that must support audit mechanisms, in compliance with the organization's or third-party agreements and legal, regulatory, or fiduciary mandates

Security Incident Response Policy Goals

The goals of the SIRP for the organization are as follows:

  • Research how an incident happened

  • This is to learn how the intrusion happened, what components were affected, and what damage, if any, was caused.

  • Investigate the root cause

  • To understand the root cause, involvement by more than one organization or business enterprise could be needed. Understanding the root cause could prevent future compromises.

  • Assure integrity of critical systems

  • The critical systems for the enterprise are the organization's computing systems and all of the network equipment associated with the enterprise's WAN, as well as customer systems running hardware and software supported by an enterprise's organization.

  • Maintain and restore data

  • Data availability is essential, so if data is stolen or corrupted intentionally, it needs to be restored as quickly as possible, while preserving any data that may be considered evidence.

  • Maintain and restore services

  • The services of the organization depend on the various computer-based or computer systems and networking components. These need to be brought back online if they are shut down or not completely functional.

  • Take corrective action

  • Taking corrective action ensures that the potential for recurrence is eliminated.

  • Improve the policy and processes

  • To avoid future incidents, the policy and processes must be continually improved with analysis and learned lessons from past incidents.

  • Avoid negative publicity

  • The appropriate enterprise resources (for example, the enterprise's legal or public relations department) should be consulted as necessary.

Breach of Policy and Enforcement

A breach of the SIRP could affect an organization's ability to prepare for and to track security compromises, penetrations, and attacks. Any person who causes the failure, disruption, or destruction of the procedures, guidelines, data, or evidence should be subject to disciplinary action at the discretion of the organization's and the enterprise's management.

Local laws and regulations differ from country to country. Therefore, CSIRTs need to be aware of the constantly changing legal framework of the environment in which they operate, and they must adapt accordingly. Before enforcement, a CSIRT should ensure that it limits its legal exposure by clearly declaring within its charter what its purpose, goals, and scope, are and what it is and is not purporting to do. Appropriate legal advisors need to review the charter and all of the procedures in use by the incident response teams.

  • + Share This
  • 🔖 Save To Your Account