Incident response capability is essential to quickly detect incidents, minimize losses, reduce damage, mitigate exploited
Incident response services can be provided internally by security or network operators. Alternately, it may be outsourced to managed security service providers (MSSPs). An organization's computer security incident response team (CSIRT) can also provide and manage these services.
Although not compulsory, it's recommended that every organization has a computer incident response team. This aids quick recovery and ensures minimal damage from a security incident. Such a team ensures that the organization complies with legal requirements, protects its resources, and sustains business activities.
The CISO is responsible for an organization's CIRT formation and incident response management coordination. Establishing an incident response capability includes the following:
• Create an incident response policy and plan.
• Develop procedures to perform incident handling and reporting, based on the incident response policy.
• Set guidelines to communicate with outside parties regarding incidents.
• Select a team structure and staffing model.
• Establish relationships between the incident response team and other groups — both internal (for example, the legal department) and external (such as law enforcement agencies).
• Determine services to be provided by the incident response team.
• Staffing and training the incident response team.
The incident response process has several phases -- from initial preparation to post-incident analysis. The initial phase involves establishment and training of an incident response team, along with the acquisition of necessary tools and resources.
During preparation, the organization also attempts to limit the number of incidents that occur by selecting and implementing a set of controls based on the results of risk assessments. However, residual risk will inevitably persist after implementation of the controls. Furthermore, no control is foolproof. So detection of security breaches is necessary to alert the organization whenever incidents occur. In keeping with the incident's severity, the organization can act to mitigate the incident's impact through containment and recovery. After adequately handling the incident, the organization issues a report that details the incident's cause and cost, as well as the steps that organizations should take to prevent future incidents.The incident response process' major phases are as follows.
• Detection and analysis - Determines whether an incident has occurred. If so, analyze the nature of such incidents, along with identification, protection of evidence, and reporting.
• Containment - To limit the incident's scope quickly and minimize the damage.
• Eradication - To remove the incident's cause.
• Recovery and follow-up, by taking steps to restore normal operation.