216 ◾ Security Strategy: From Requirements to Reality
responses are commensurate with the risks and costs associated with the incident. is varies
considerably with every incident. Gaining privileged access and sharing a password with a co-
worker are both unauthorized access incidents, but the former carries a much higher level of risk.
e evaluation process may involve reviewing video surveillance, audit records, or other sources
of information. Establishing the severity of the incident determines the resolution actions that
will be taken, the time lines for those actions, and the priority given to those actions. e fi nal
task in the evaluate stage is notifi cation. Once an incident has been confi rmed and severity estab-
lished, notifi cations should be issued to all parties responsible for the management or execution
of the response. For example:
e chief security and technology offi cers ◾
e manager(s) responsible for the personnel, facilities, or systems involved ◾
e director of human resources when staff personnel are involved or staff safety is at risk ◾
Legal counsel when legal, regulatory, or contractual requirements are involved ◾
Customer/end-user representatives when customer data are involved ◾
e director of public relations when customer data is involved ◾
Response team members (when severity warrants it) ◾
e process then proceeds to the contain stage. ere isn’t necessarily a hard-and-fast point
where this transition takes place; containment actions may occur during evaluation, especially
when critical assets are involved.
e containment stage is designed to limit the scope and magnitude of an incident, especially
those involving malicious activities. Not all incidents require containment; for example, a security
process that fails is an incident that is already contained to a single device. A product vulnerability
is another example of an incident with a fi xed scope. Malicious code, on the other hand, does not
have a defi ned scope; it can spread very rapidly, incurring massive liabilities and costs as it does.
Containment procedures include actions such as:
Cordoning off a facility or partitioning the network to block the spread of the malicious ◾
activity
Applying additional protections to critical business assets such as locking down the data ◾
center, updating antimalware software, or adding host fi rewall rules
Taking precautionary measures such as transporting valuable assets to another location, ◾
backing up critical business systems, and running diagnostics to verify the operational
integrity of critical systems
Removing compromised systems from service or monitoring them for evidence collection ◾
and investigation purposes
Once the scope of the incident has been contained, the process of repairing or eradicating the
cause of the incident can begin in earnest.
e resolve stage entails the repair or removal of the cause of the incident, for example, remov-
ing a virus from all infected systems and media. In the case of facility or IT systems, the resolve
action may be as simple as revoking someone’s access or as complicated as tracking, arresting, and
prosecuting the attacker. e success of the resolve stage is based on preparedness: having and
maintaining the tools required to repair faulty equipment or software, and eradicating malicious
software or other behaviors. Once the incident has been resolved, the process transitions to the
restore stage or the restorative control. Security groups that have Business Continuity and Disaster
TAF-K11348-10-0301-C011.indd 216TAF-K11348-10-0301-C011.indd 216 8/18/10 3:11:04 PM8/18/10 3:11:04 PM