Unformatted text preview: se team is a hybrid of the virtual
and permanent models. Certain core members are permanently assigned to the team
whereas others are called in as needed.
The incident response team should have the following basic items available:
• A list of outside agencies and resources to contact or report to.
• Roles and responsibilities outlined.
• A call tree to contact these roles and outside entities.
• A list of computer or forensics experts to contact.
• Steps on how to secure and preserve evidence.
• A list of items that should be included on a report for management and
potentially the courts.
• A description of how the different systems should be treated in this type
of situation. (For example, the systems should be removed from both the
Internet and the network and powered down.)
When a suspected crime is reported, the incident response team should follow a set
of predetermined steps to ensure uniformity in their approach and make sure no steps
are skipped. First, the incident response team should investigate the report and determine that an actual crime has been committed. If the team determines that a crime has
been carried out, senior management should be informed immediately. If the suspect
is an employee, a human resources representative must be called right away. The sooner the documenting of events begins, the better. If someone is able to document the
starting time of the crime, along with the company employees and resources involved,
it would provide a good foundation for evidence. At this point, the company must decide if it wants to conduct its own forensics investigation or call in the big guns. If experts are going to be called in, the system that was attacked should be left alone in order
to try and preserve as much evidence of the attack as possible. If the company decides
to conduct its own forensics investigation, it must deal with many issues and address
tricky elements. (Forensics will be discussed later in this chapter.)
View Full Document