As information security professionals, a lot of what we do revolves around the concept of an incident. Most of my time is spent trying to prevent a deviation from the norm that may cause harm to take place in the first place, but sometimes things happen and we need to respond to such an occurrence. Having the appropriate planning in place to know what you will be doing helps tremendously. All plans are subject to what happens to the real world, and those real-world events will influence the execution of the plan.

Looking closely at the planning process, three levels of planning are typically distinguished. At
the highest level, policies and directions are set. This is the
strategic level. On a more tactical level, we're talking about
architectures, response plans, configuration guidelines, frameworks,
etc. Finally, the plan gets executed at the operational level. Keeping
these three layers separate, at least conceptually, assists in keeping
an overall grasp of the situation.

In order to create plans that cover the three levels sufficiently, the information security practitioner needs to stay informed. This type of situational awareness is crucial for the successful execution of the role. Without relevant information, your strategy will be incorrect, your tactical decisions will be ill-informed and your operational decisions will be sub-optimal.

There are many sources to get relevant information. Visiting conventions and conferences, reading journals and some blogs, are among the activities from which valuable information may be obtained that can be used to form strategic direction.

Most blogs are useful to obtain input for tactical decisions, as are mailing lists, twitter, etc. Operational awareness is derived from regular log reviews, analyzing IDS alerts, as well as from some blogs and mailing lists.

All of this is captured in the graphic below and related to the incident management process as described by SANS.


The main point that I am trying to make is: stay informed. Spend sufficient time on keeping up-to-date by actively participating in social media, reading content and authoring new materials.