Incident handling: an orderly response to unexpected events

Computer viruses, worms, denial of service attacks, equipment failures, vandalism, theft and other unwelcome events can send your computer services staff scrambling and cause a variety of problems for your user community. Even the least of these situations can be a distraction for your staff. The most severe can provide an unscheduled opportunity to test your disaster recovery procedure! How does your organization react to these events? Do you have a clearly-defined process in place to deal with unexpected incidents that threaten the security or operation of your systems.Eastern Connecticut State University is a public liberal arts institution with an enrollment of about 5000 students. Our Information Technology Services (ITS) group has implemented a process that provides a framework for an orderly response to unexpected events. The process is an adaptation of security incident response recommendations from the National Institute of Standards and Technology, Internet Security Systems, Inc. and other resources, which have been tailored for our institutional needs. At the core of the process is the Incident Response Team, which consists of a team manager, a technical leader and other ad hoc team members, depending on the nature and severity of the event. The team concept takes advantage of institutional expertise from law enforcement, human resources, audit, public relations, facilities management, legal services and other technical resources within ITS. The team manages information gathering, analysis, recovery and administrative functions to ensure a controlled, coordinated approach to incident response.Our presentation will focus on the phases of the incident response process and the role of the Incident Response Team. Flexibility, wise use of resources, effective communications and analytical skills are contributing factors to a successful response effort. We will draw upon our own experiences in discussing communication with the user community, severity level guidelines, evidence gathering, essential documentation, and lessons learned along the way.