A system administrator notices some logs are missing from a server. There were also some strange spikes in network traffic a few hours earlier. They tell you “Something’s not right, we may have been hacked.” Your heart sinks and your palms get sweaty as your heart rate begins a steady increase. “What do we do?” you ask.
Hopefully this never happens to you. But if it did, would you be prepared? Who would you call? What would you say? Where do you go for help? Asking these questions for the first time during an emergency is not a good idea. Having a good computer security incident response plan is critical to helping you make good decisions in times of crisis.
Think about it. First responders such as police and fire departments, EMTs, the Red Cross and the military all have disaster response plans. They also practice putting those plans into motion on a consistent basis so when the disaster strikes, they are ready. They know who’s in charge and what their role in responding to the disaster is. They know the resources they’ll need and how to access them.
Your computer security incident response plan should be no different. There should be a well-documented plan for how your organization will respond to an information security incident. There should be a team ready to go. They should know their roles, what they need and how to get it. They should have trained with the plan and be ready to execute it on a moment’s notice.
Is your team ready? Do you know who the outside experts are should you need them? Do you know how and when to engage law enforcement? Creating a computer security incident response plan will answer these questions for you. It’s better to have a plan and never need it than to be searching for answers in the midst of a crisis.