• dissemination of serious issues to entire team verbally or via email

• a log book with permanent pages used to record ongoing activities
• each page signed by the author for the events recorded and co-signed by another individual
• old log books stored in the safe
• events or detailed investigations will be logged in a word file
• all such files will be archived in safe with a backup copy signed by the author using their private key

• plan for repair/recovery of failed tools/devices
• plan for insertion of new tools/devices/versions following successful test bed analysis and trial

• individual leaving is to pass on any relevant files or records to manager, return all keys, passes, encryption keys, HW, SW and documentation
• manager is to ensure individual's access to IPC systems and rooms is canceled, accept all relevant records, files and IPC assets and retain all security related items (keys, badges, etc.)

• The IPC needs to advertise that users are to contact either the help desk or the IPC directly when they suspect an incident has occurred
• Helpdesk and others involved in operations need to be kept informed as to IPC activities and services

• this can catch events that go below the threshold of ID systems
• if a Coordination Centre exists they can assist with this activity
 
• a successful model is to develop a healthy competitive spirit between local and secondary audit teams to see who finds the malicious events first

• Director of IPC maintains list of deliverables, active events and services and allocates resources and target dates towards these
• people, time, space, money and production tools are the critical resources
• scope of services covers the organisation itself but, if resources permit, may be extended beyond this constituency at the discretion of the CIO
• Status of any tool or product testing or trials is tracked
• Review of logs may lead to analysis and recommendations for adjustment of automated policies. Status reports may lead to re-allocation of resources, alteration of priority issues, need for more staff, etc.

• an ongoing risk is that the IPC will be a target since it competes for limited resources and can be seen to be an obstacle
• the risks of problems or issues need to be addressed as they could affect the viability of the IPC
• the IPC needs to be seen to deliver value, otherwise it will become a liability to the CIO
• The Director needs to maintain ties to other IT Directors to detect issues and mitigate them if the risk is high
• ongoing vulnerability analysis (VA) will bring the IT Directors in contact with IPC and provide opportunity to reduce the tension through cooperation
• IPC offers services and assists in delivering solutions

• wherever possible original vendor supplied CDs safely stored and used as installation medium
• network distributed software downloaded from vendor sites and original backup stored safely
• production security servers protected by firewalls which restrict incoming services
• integrity codes calculated (e.g., tripwire) for each tool and codes stored safely
• integrity checking carried out on each tool quarterly or as required
• integrity checking carried out using archived baseline file signatures
• wherever possible, alternate tools are used (i.e., vulnerability probing) to verify correctness of results

• record training taken  and apply as training (e.g. CISSP recertification) credits
• IPC staff write up an assessment of effectiveness of any training they take
• indicate any useful training materials
• store training materials in IPC library
• training materials are kept by IPC until they become outdated

• ensure team members know how to use the production tools
• maintain documentation of production tools
• have team members first use tools under guidance of more experienced person
• more experienced members review the results and activities of first few uses of tools by less experienced members

• candidates can be found in local security interest groups, Co-ops, post grads doing research, contractors

• the goals are to keep files from being corrupted or accessed by unauthorized users, to keep hardware as failure-free as possible, to keep up performance (stay operational) and to keep data safe

• backups of data from  production servers are made as they are required
• production servers do not support users, only specific applications so they do not change
• initial backups are made of the system as they go into production
• integrity checking (e.g., tripwire) is used to establish baseline file signatures for production applications and these signatures are stored in the safe
• records are kept of what was involved (loaded) onto the production systems
• original distribution media is stored in the safe
• local files on the desktop or on laptops of IPC members are backed up as they feel is required

• Director must determine a reasonable distribution of resources to deliver sufficient scope of capabilities and maturity of processes to keep the IPC a viable and valuable entity within the organisation
• Director must get the commitment of the the IPC members to strive to deliver quality services
• events, altered priorities and availability of resources will affect strict adherence to the checklists so maturity will be fluid

• each IPC member must develop their IPC-related skills by attending workshops, conferences, etc.
• CISSP certification through ISC2 (www.isc2.org) would provide a structure for maintaining recertification and thereby maintaining skills
• IPC members don't have to be certified; can simply follow the recertification criteria

• Critical assets are listed , the list is prioritized + identify those with responsibility for and authority to access each asset that needs to be recovered, under what conditions and by what means
• IPC Director has full authority and responsibility
• first priority is protective via the perimeter--maintaining or tightening perimeter controls
• work with outsourced firewall managers to get firewalls functional
• second priority is detective--need to have indications and warnings up via IDS and network mapping
• work with managers of perimeter controlled networks to get IDS engines functional
• IPC to get IDS control systems functional
• IPC to get net mapping functional
• restore any decoy hosts or tripwire capabilities
• third priority is the team's assessive and responsive capabilities which derive from the availability of technically capable people
• Director of IPC to make sure people are available
• optional automated assessment and response linking IDS to routers or firewalls can be redeployed
• establish firecall procedures that will provide operational continuity should there be a significant risk of prolonged failure or disruption. An example would be an incident that consumes the system administration staff of an organisation, thereby not allowing the day-to-day operations (the care and feeding of operational systems) to continue. A firecall could be issued to bring systems administrators from other organisations to the affected organisations to support normal operations.
• off-site operations (hot site)
• the IPC may well develop into a hot site for outsourced management of the network if it establishes its own network mapping and management view
• the IPC could relocate to alternate offices

• establish an IPC contact phone number with voice mail
• keep forms with required incident information fields by phone
• establish an IPC contact email account
• assign responsibilities for daily review of messages
• feed reported incidents into tasking and incident tracking system

• avoid revealing overt technical details
• deal only in facts--no rumours
• be aware that inflammatory statements may make your organisation a target and draw fire not only from the outside (e.g., cracker community) but also from those within the organisation that would prefer to keep a low profile in hopes that they can continue to get by with minimal security

• statistics are maintained by Helpdesk support
• IPC tracks response time from first indication of malicious code to time new signatures have been distributed
• IPC attempts to minimize the time taken to update viral signature databases on servers, desktops and email gateways

• IPC may need to use viral scanners from alternate vendors to provide wider coverage and eradication services

• work with Helpdesk Security Point of Contact (POC) to do this
• track authorities on Internet for indication of current analysis
• once analysis provides significant results that would assist users, get this info out as well

• user notification should include all users environments
• message should include link to source of new viral signature file or product non-managed users can employ

• click on thumbnail for large image of form

• most ID systems err on the side of caution and signal alarms for anything suspicious so don't overreact
• carefully analyze the event and try to understand what the ID system is telling you and whether it is a serious incident
• if you are using a network ID system that relies on passive sniffing then it may not attempt to distinguish between "outside" and "inside" because addresses could be spoofed; this means you can be seeing events from suspect activity in both directions so you need to resolve this to establish how to respond to the incident (i.e., are you under "attack" or is it someone from within your organisation "attacking" an external site)
• compare the activity to see if it is "normal" business by checking with the System Administrator or system owner(s) involved
• resolve the addresses using services such as www.arin.net/whois
• compare the activity against previous activities in the logs to see if the same source has been involved in other activities
• assess whether the activity could have compromised your systems or was contained by the existing security controls in place

The next step in assessing a security incident is to consolidate what you have found out and record this

• Is the incident a penetration attempt or a violation of the security policy? 
• Is the incident presently active? 
• What is the source of the incident? 
• Has the system been compromised? 
• Which organizations are involved? 

• Because security policy violations are committed by internal users, some delicacy is required to handle the situation since it may result in legal action. It is very important to involve senior management first then, if necessary, Legal, and Human Resources to limit the company's exposure to liability
• The IPC will inform senior management and follow Human Resources guidelines
• If the CIO so directs, the IPC will discreetly gather all necessary information and save to backup media
• a complete report will be provided to CIO who then deals with it as a management issue

1. noise level, no detected attacks 
2. unauthorized scans, sporadic attacks detected
3. coordinated hacking attempts or DoS detected 
4. successful attack(s) detected, containment, eradication and recovery necessary
5. under heavy assault, facility shutdown and firecall procedures required (see yearly Checklist) 

• report final status to those who submitted incident report (details may be vetted)
• status reported to Helpdesk if they were involved and established trouble ticket
• generalized report without sensitive details can be posted on internal security web server