It is clear why a company should invest the resources to establish an incident response program: consider the results and impact on a corporation that suffers a disaster without having prepared for it! In other words, what level of risk is a company willing to accept on its information resources and businesses?
This is addressed through the concept of risk management, or when senior management conducts a cost-benefit analysis to weigh the pros and cons of implementing various security countermeasures such as an incident response program. Risk management defines levels of risk by examining the types and probabilities of threats and vulnerabilities associated with a given organization and balances those findings against the costs associated with protecting against such potential problems. These assessments help senior management decide the level of risk they and the company are willing to accept as a result of implementing (or not implementing) specific countermeasures to potential security problems. For example, not having an incident response process may mean extended periods of downtime and confusion that could affect business operations or revenue, just as not having a properly configured firewall increases the probability of a network being compromised.
While many resources provide in depth details of risk management, here are some points to ponder in assessing the levels of risk for enterprise information resources. Truthful answers to questions like these will help determine how robust an incident response capability may be required at a given company, and thus the level of resources needed to make it happen:
What business processes are dependent upon the proper functioning of IT systems?
To what level has the company entrusted its IT staff to access these critical IT systems?
What is the cost to the corporation if those business processes are not available for an hour? A day? A week?
What is the cost to the corporation of rebuilding those business processes from scratch?
What would the impact be to the corporation if customer confidence was eroded when an incident was publicized in national media?
What resources are necessary to build an incident response program?
Although the answer to the last question varies tremendously from one company to another, this book will help in providing an informed answer. Table 1-1 shows the sharp rise in reported incidents since the CMU CERT started tracking them in 1988.
Table 1-1. CERT annual reported incidents [2]
|
1988 |
6 |
|
1989 |
132 |
|
1990 |
252 |
|
1991 |
406 |
|
1992 |
773 |
|
1993 |
1,332 |
|
1994 |
2,340 |
|
1995 |
2,412 |
|
1996 |
2,573 |
|
1997 |
2,134 |
|
1998 |
3,734 |
|
1999 |
9,858 |
|
2000 |
21,756 |
|
TOTAL |
47,711 |
[2] From the Statistics section of the CERT web site at http://www.cert.org/stats/cert_stats.html. | |
Naturally, incident response teams must prove their usefulness over time. While much has already been done, the war is not yet over.
Get Incident Response now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
