Information System Incident Response
Effective information system Incident response requires proper planning and good management. Since organizations are diverse and vary in size, organizations must design their incident response plans based on a detailed assessment of their information system and business requirements. Constructing a proficient Incident Response Team (IRT) is a critical component of any effective Incident Response Plan. Incident Response Teams are constructed based on three different models which are; Centralized, Distributed, and Coordinating.
Centralized response teams are the simplest model and uses a single “centralized” team to handle all incidents. The positive aspects of this model are that since this type model works best in smaller organizations, there is a very good chance that the team members already work together and each member is familiar with working with other team members as a part of their normal duties on a daily basis. Another advantage is availability of team members. If one member of the team is absent, chances are that other staff member can step in and fulfill their duties if an incident occurs. This is attributed to the crossover and cross training that occurs with smaller support teams who as a normal course of doing business are required to fulfill overlapping duties in an organization. The negative aspect of a centralized model is that it is difficult for the response team to cover several areas at once. This can lead to delayed responses if more than one incident occurs at the same time.
The Distributed response team model splits the response team into smaller teams that can cover several areas. This model works well with organizations that are spread over wide areas. Each sub-team will have a designated team leader that acts as a liaison between other teams. The positive aspect of this model is the ability an organization to respond to multiple incidents in different areas at the same time. The negative aspect of this model is that it relies on strict communication protocols to ensure that teams communicate effectively. Another negative aspect is that with this model, if a team leader is missing it can become a single point of failure if other members of that team have not been cross trained to handle the team leaders duties.
The Coordinating model uses some aspects of the distributed model, except it uses a centralized team of experienced members who counsel another response team or several smaller distributed teams. The coordinating team has no authority over other teams. Its main purpose is to use their experience to guide other teams efforts. This model works well in organizations where the majority of highly experienced staff are located in a single headquarters type location, and less experienced staff work in remote locations.
Outsourcing Incident Response
Outsourcing incident response duties has its advantages and disadvantages. One positive aspect of outsourcing is that it may result in lower overall costs because the outsourced team only has to deal with actual incidents and does not have to worry about administering and maintaining systems. A negative aspect is that outsourcing incident response duties could delay timely, effective incident response since the response teams are not already located within the organization.
In-house response teams have the advantage of being on-site and the ability to respond quickly. Another positive aspect is that response team members are selected from staff that administer and repair their in-house systems and equipment on a daily basis providing them with a deeper understanding of how systems are constructed and operate. The primary disadvantage is related to burn out from covering multiple duties and dealing with the stress related to the incident response environment.
Chichonski, P., Miller., T, Grance., T, & Scarfone., K. (2012). NIST SP 800-61r2, Computer Security Incident Handling Guide. National Institute of Standards and Technology. Retrieved November 25, 2016, from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf