1

Effective Incident Response

Presented by Greg Hedrick, Manager of Security Services

Copyright Purdue University 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2

Effective Incident Response

Why start a formal program?

Definition of an IT Incident

The Process

Infrastructure Requirements

Communications Channels

Notable Items

3

Why start a formal program?

Manage Communications

Proactive Opportunities

Awareness Opportunities

Regulatory Compliance

Standardize Procedures

Identify System Owners

4

Definition of an IT Incident

Purdue Policy Definition• Any event involving University IT Resources which

• violates Indiana state or U.S. federal law, or • violates regulatory requirements which Purdue is

obligated to honor, or • violates Purdue University policies, or • is determined to be harmful to the security and

privacy of University data, or IT Resources associated with, students, faculty, staff, and/or the general public, or

• is construed as harassment, or • involves the unexpected disruption of University

services.

5

The Process

6

The ProcessData Exposure Example

7

Infrastructure Requirements

People

Tools

Policy

Documented Procedures

8

Communication Channels

Secure Wiki

Policy

Presentations / Training

Trusted Community

Procedures

Mailing Lists

Monthly Reports

9

Notable Items

Clearly define “investigable” events Dedicate staff to the process Define “incident” carefully Clearly define roles and responsibilities Establish policy, procedures, training

and infrastructure in parallel Be prepared immediately for

management reporting

10

Questions?

http://www.purdue.edu/securepurdue/steam/about.cfm

Greg Hedrickhedrick@purdue.edu