Information Technology Incident Response Teams
The Essential Roles for a Successful IRT
Mar 31, 2009
In IT, an incident response team (IRT) can be defined as “a carefully selected and well-trained group . . . whose purpose is to promptly and correctly handle an incident [germane to security] so that it can be quickly contained, investigated, and recovered from” (Borodkin 1). An effective IRT will be staffed by employees of the organization being protected.
Moreover, they will be trained to interrupt their routine activities such that they can take immediate steps to address an incident. The positions that an IRT should contain will necessarily vary according to the needs of an organization. However, at minimum, three skill roles should always be on such a team:
Management is Essential
A member of an IRT should always be empowered as management to make important decisions under pressure. Without managerial heft, there is no way an IRT would be able to take decisive action to protect the organization and implement its security policy. The idea of “response” connotes meaningful action, which means management must be present. Management will ensure three key elements:
- The IRT as a whole will be up and running.
- It will modify and/or delegate team roles to fit the occasion.
- It will oversee every other member of the IRT as the issue is investigated and corrected.
IT Staff may be Trained in Information Security
An IT staffed IRT will be primarily an information-oriented IRT and largely concerned with data security. However, IT employees should be part of the any team because, more than anyone, they are trained to negotiate different logical and software systems in order to localize problems. Additionally, IT professionals are usually trained to streamline the presentation of technical concepts for management.
In order for management to make intelligent, informed decisions about incidents, the organization will need its IT department to help educate and clarify what those incidents entail. The IT staff will assess how much damage has actually been done. The IT staff will also repair the damages, review the intrusion detection systems in place, and perhaps gather what information they can as evidence should the hacker or other electronic intruder be caught.
In-house Counsel can be Extremely Helpful
Having available legal counsel is tantamount to knowing “business karate.” In other words, one hopes never to have to use it, but it sure is reassuring to know that one can handle problems as they arise. Part of the job of an IRT is information and evidence gathering. An attorney is indispensible when tracking and investigating incidents.
The in-house counsel will advise the IRT on proper information gathering and liability issues. If a hacker could have had access to sensitive data, the attorney can recommend reasonable steps that would protect the organization from lawsuits, whether those suits originate with customers, vendors, or other business associates as a result of the breach.
Specialized Roles are Preferable
Ultimately, specialized roles within an IRT lead to greater employee confidence and effectiveness. In a well-trained, IT-oriented team, the manager (or acting manager) would lead a group of data security specialists backed by an attorney through all aspects of an investigation and recovery. Prevention may also be a consideration for more broad-based teams specializing in physical and integrated security approaches as well as fault tolerant systems.
References:
Borodkin, M. (2001). Computer Incident Response Team. Retrieved March 31, 2009 from: http://www.sans.org/reading_room/whitepapers/incident/641.php
 |
