First, you need to assemble a security incident response team (SIRT). This team will be responsible for determining whether intrusions are legitimate or false positives, determining how to escalate responses as needed, and deciding whether prosecution is viable or necessary. The team should be drawn primarily from current staff of your company. Include IT staff members, an upper management representative, a financial representative, and a human resources representative. Also, designate a person to handle public relations. Include contact information for the company’s legal counsel, and identify a local law enforcement officer to contact if the police need to be notified. Follow these steps to help plan your company SIRT:

1. List who should be included in the SIRT, and explain briefly why you selected each member. It doesn’t need to be a specific list of names, but a general guide for selection (including information such as skill sets needed, responsibilities the member is especially suited for, and so forth). For example, you might list the human resources director because she’s familiar with all employees and can handle staff notification, if needed. You might also have the HR director handle public relations. This list is intended for the company’s upper management, which will coordinate organizing the team with your guidance.

2. Plan the general agenda for the team’s first meeting. The team must select a team leader, discuss how responsibilities should be divided, and design a plan for developing, testing, and maintaining incident response procedures. (As a consultant, you can’t design these procedures. It’s an ongoing task the SIRT must do. Your job is to offer guidance.) Prepare a short list of “talking points” the team must address.

3. Instruct the SIRT leader to develop an Initial Response Checklist that includes responsible parties, contact information, and notification and escalation procedures. This checklist should be posted for employees but not available for the general public (to protect team members’ privacy). Develop a sample document the SIRT leader could use to organize this information.

Now that you have guided your company in developing an incident response strategy, you need to begin integrating it into the disaster recovery plan. At this stage of development for a company such as yours, you should also begin planning who will handle ongoing maintenance of policies and begin preparing that person or group to take over the job. Because your company is a small company, it can’t hire staff to take care of this task full-time. Someone within the company needs to take care of it.

Assume that the IT director, Jon Smith, will be handling the task of security policy and procedures maintenance. Develop a checklist of tasks he needs to do and a tentative schedule. Write a brief agenda for a meeting with him covering the key points of the disaster recovery plan maintenance, including the risk analysis cycle, security awareness training, and resources for monitoring current threats that might affect the company or its policies. Also, plan to review the policies and procedures manual with him and answer his questions, explaining how you developed each part of the manual.

After you have developed your list for upper management, the SIRT meeting agenda and talking points, the sample Incident Response Checklist, and your draft plan for ongoing maintenance, proofread all documents carefully and submit them to the instructor via the assignments tab for this project.

Students should have:

1. A list of people who should be considered for membership in the SIRT, including a brief rationalization for each potential member. This list shouldn’t be a list of names; instead, it should be a list of positions internal and external to the company. It must include at least one IT member, a representative from upper management, a public relations/employee liaison, and a representative of regular employees.

2. The agenda should include provisions for selecting a team leader, specify which responsibility roles must be assigned, state how the workload must be divided, and include a point about ongoing maintenance and testing. Other topics students can include: updating, security awareness programs, on-call assignments, responsibilities and escalation procedures for regular business hours and off hours, and regular team meetings. The risk analysis cycle, updating the business continuity plan, disaster recovery plan and response procedures, and local law enforcement notification could also be important points. Students can include other items; assess them based on relevance to the design and structure.

3. The checklist should include spaces for team member name, responsibilities, contact information, and escalation procedure (brief).

                                                         SAMPLE SOLUTION

The Security Incidence Response Team (SIRT) will comprise of the persons listed below, who shall alert the teams office in case of incidence. The nature of intrusion may constitute of blockage of access controls. Insiders or outsiders may cause such blockages. The harm caused by insiders may not be malicious as those caused by outsiders.  The prevention intended may not be complete control of the system, rather a strategy to minimize intrusion. The team will be responsible for creating, managing, and implementing plans of action for any incident that may hypothetically intimidate the privacy, reliability, or accessibility of information in the system.

Further, team members shall aid in the development of policies and procedures for the deterrence, identification, investigation, control, and extinction of security threats. They shall also repair the information to an operational state. Team members shall also assist throughout the response process.

The team shall comprise of specialist and technological experts from the company charged with the analysis, prevention, containment, identification, and eradication of security incidents. The incidents are events that could adversely affect the company network resources or could cause loss of or damage to information resources flow.

The team shall comprise:

1. ICT manager, who will act as the chair and head of the team. His expertise is crucial for coordination within the team. He shall also approve commencement of SIRT inquiry and SIRT accomplishments executed in support of the investigation. Besides, his key responsibilities shall include Summon SIRT; Conduct SIRT meetings; and Coordinate SIRT investigation. He will also ensure incidents classification according to severity class, define investigation objectives, outline resource requirements, communicate with external agencies, coordinate SIRT training and exercises, request support team resources, prepare SIRT management reports liaise with senior department managers regarding incident investigation status and arrange for responsibility coverage during temporary absences (Adopted from Stallings and Brown, 2008).