I just came across this article by John Walker posted on Tripwire’s The State of Security. It outlines 10 key measures to put in place in preparation for a cyber security incident, and I think the list is pretty good. I’ve reposted the 10 items below, but you should go read the full article.
Key 1: Preparation
Always expect the worst to happen, and be prepared and have an established CSIRT (Computer Security Incident Team) structure in place, which may be mobilized in a coordinated manner.
Key 2: Processes
The time of encountering an attack is not the time to consider how you will respond to the event. Here, it is essential to have documented processes in place to guide the CSIRT through the security engagement with clear and defined robust actions.
Key 3: Skills
One very important element of the key chain is to have the right people in place who understand the ramifications and implications – people who can deliver value to the incident response process based on the technological risk.
Key 4: Tools
Have tools and response capabilities in place that may be deployed to support the security mission, along with a team who has been trained in their use.
Key 5: Communications
It is important for those larger organizations to have both internal and external communications protocols in place to assure they may apply follow-the-sun capabilities, as well as communicating with external agencies, such as the police when the event dictates.
Key 6: Case Management
At the core of all successful incident responses exists the ability to document a contemporaneous record of events, and to record any acquired element or artifacts that may seem to be pertinent to the case under investigation.
Key 7: Stay Legal
It is essential that the applicable laws are understood in relation to the region, or regions which are implicated by the event – ranging from the UK with its Data Protection Act to those outsourcing domiciles, which fall under other international laws and directive.
Key 8: Cyber Threat Intelligence (CTI)
When encountering any form of cyber adverse interest, it is a good practice to seek out what any potential adversaries may be saying about your brand online though the employment of CTI – this can give an organisation suffering a cyberattack an insight into the attacker’s mind and objectives.
Key 9: Digital Forensic Readiness
Remember you may need to investigate the acquired artifacts in more depth, so having an evolved Digital Forensic Readiness Capability in the CSIRT Framework should be considered an essential element.
Key 10: Learning
The last important element of the keys to success is to learn from past events and to adjust the futuristic rules of engaged on the past experiences.