Tuesday, September 29, 2009

Incident Response and the Incident Command System

Like many other professions that have a security dimension, information security professionals are (or at least, should be) trained to deal with crises. Excellent training is available from many sources, one of which is the SANS institutes security 504: Hacker Techniques, Exploits and Incident Handling. Since I am a mentor for 504, I feel that I am fairly comfortable with the material. One of the topics that I have found lacking in most training of which I am aware is that, while several (very useful) approaches to incident handling are discussed, not all that much attention is paid to how to actually organize an incident response structure.

In order to provide some more guidance to my students, I have done some research and I ended up on the FEMA site. While the Federal Emergency Management Agency is often scorned or ridiculed, they do have some interesting materials available for free.

Some background information first. FEMA's mission is to support citizens and first responders to ensure that we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. This definition has "government" written all over it, but there are some useful components for my purposes.

Specifically, the part where they mention "prepare for and respond to" (incidents) has relevance.

FEMA's emergency management institute provides many types of study in the field of emergency management, but the one that I am most interested in is the independent self study option. Under the Independent Study Program, some very interesting resources are made available for free; more specifically, some modules are offered that address the Incident Command System (ICS).

IS-100.a Introduction to Incident Command System is a module that introduces the concept of an incident command system. "The Incident Command System, or ICS, is a standardized, on-scene,
all-hazard incident management concept. ICS allows its users to adopt
an integrated organizational structure to match the complexities and
demands of single or multiple incidents without being hindered by
jurisdictional boundaries." It does not take much imagination to see how this concept can be applied to information security incidents, or to wider incidents that include information security aspects.

The ICS approach is based on a few common concepts. The ones that are most relevant to us are the use of common terminology and clear text, adoption of a modular organization, management by objective, reliance on an incident action plan, and maintaining a manageable span of control.

The training material discusses roles and responsibilities of the incident commander, delegation of authority, unified command, command staff, general staff, and much more. All concepts that are very useful when dealing with security incidents or business continuity events.

I highly recommend taking a look at the online FEMA training offerings. They are free, include a self-assessment and if you pass the online exam, they will even give you a pretty certificate in a PDF file. No pretty letters after you name though.


No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.