A major part of any organisations IRP is the team that is responsible for handling the incidents using the process and method outlined in section 1.2.1. Whilst it is strongly recommended that every organisation should have an IRP in place, this is not necessarily the case with an incidence response team. However, each organisation should have an individual such as the corporate security officer who is responsible for the IRP of the organisation.
There are several types of Incidence Response teams, these are:
1. Public resource teams: such as the Carnegie Mellon University Computer Emergency Response Team, (CERT/Co-ordination Centre) which provide incident response services. The function of these types of organisations is to investigate record and publish security incidents that have been reported. Such organisations provide an invaluable service to IT security managers, as they are able to find out about the latest security incidents and what they are able to do to prevent them from occurring within their organisation.
2. Internal teams: These are formed specifically for an organisation and focused inwardly. These teams are funded by an organisation and are usually charged out to other business units to provide response services. The benefits of these types of teams is that their primary function is respond to a specific organisations incidents and as a result are fully aware of the organisations policies, procedures regarding security and are able to provide hands-on assistance/expertise where required. The implementation of an Internal team, is very much dependent on the size of the organisation and the available funding.
3. Commercial teams: These teams work on a contract basis and therefore provide an organisation with technical, investigative and procedural expertise as and when required. Commercial teams will typically offer the following services:
- 24 x 7 on-demand incident support
- On-site personnel available on request
- Legal, Forensic, technical, policy expertise
- Incident scenarios
- Fire drills: Designed to test an organisation incidence response procedures.
- Advisory and monitoring services.
Organisations can either use these teams to augment their own internal teams if required or hire them on a contract basis as and when an incident occurs.
4. Vendor Teams: These teams are usually contained within large product houses. Their services are usually aimed at detecting and eradicating any vulnerability detected in their products. In this instance, faults/vulnerabilities discovered in products are reported to the vendors who then investigate the report and provide fixes (patches) to resolve the issue. Large corporations such as Microsoft and Cisco will typically have such teams in place.
The table below summarises the different teams outlined above and the advantages and disadvantages of each team:
Table 1: Incidence Response Teams
The decision as to which team to choose is very much dependent on the size of the organisation and the regularity of occurrence of security incidents within the organisation. The implementation of an internal team is often problematic, due to issues such as funding, responsibility and resourcing. Often an organisation will not have the necessary experience or resource required in house to perform the incident response activities. In addition, the fact that an Incidence response team is not generating revenue will be another source of contention when trying to obtain management buy-in. There are benefits to all teams mentioned above and careful consideration must given to which team will best meet the business needs of your organisation.
Trinity Security Services (Trinity) is a leading independent information
security solutions and services provider. Customers include a range of FTSE
250 customers across UK and Europe
Trinity provides its customers with market leading expertise, delivering
solutions ranging from the technical such as IDS, VPN and E-commerce, to
strategic services including security policy and procedure development.
