3 main things to consider when an incident occurs

Af Jesper Erbs, Systems Engineer, Conscia

Incident response

What happens if the IT heart attack button is pressed? Do the IT personnel know what to do? Do your coworkers outside the IT organization know what to do?

I recently spent a couple of days in the hospital while my wife and newborn son were recovering from a c-section.

During our stay, I spent some time looking for minor suggestions that the hospital was prepared for handling crisis situations. I noticed there was a heart attack button in every room, and at one point, when we were visited by a nurse in our room, an alarm went off. The nurse simply stated in a calm manner ‘I will be right back’. She got up and went to the door of our room and exited quietly. Once the door was closed, I could hear her run towards the blaring alarm.

As an IT professional, I couldn’t help reflecting on the similarities between handling a medical incident and an IT incident. The first question that comes to my mind is; what happens in your IT organization when a critical IT incident occurs? Do you have a heart attack button?

If the answer to the above is yes, have you ever tested your heart attack button (…incident response)? What happens if the IT heart attack button is pressed? Do the IT personnel know what to do? Do your coworkers outside the IT organization know what to do?

Get your incident response plans out and test them – For most IT organizations, small or large – It is a good break away from the normal day-to-day projects and maintenance. If you don’t have an incident response plan, create one or ask a partner to help you create one that fits your business.

You might think how do we test for a new type of attack? Or an unexpected event?

Start by figuring out what to do in the event of an incident. The nurse in our room didn’t know if she was running towards a heart attack or a kid that pressed the heart attack button at random. She knew what to do when the alarm went off; She had to run towards the alarm, and she knew what gear to bring in case she was running towards a heart attack.

Here are a few examples to get you started:

  • Where do you meet up in case of an incident? In a meeting room or in an online meeting?
  • Who arranges the meeting, and what happens if the person who arranges the meeting is unavailable?
  • Who should meet up? Is it the same people for different IT systems?
  • Which leaders/decisionmakers do you need in the room? Do you have the financial backing to shut down an entire office with 100 workers for example? Or do you have the CXO on speed dial?
  • Do you have systems, where you depend on externals? Is there an SLA to bring them in?

Once you have tested your incident response, reflect on what went right, what could be improved and update your plans accordingly. In a critical incident, like a heart attack, every second counts. Ask the people involved to give feedback as well. What could have improved the reaction to an incident?

But most importantly, start by considering

  1. Do we have an IT heart attack button? And if we do, what happens if someone presses the button?
  2. Do the right people know what do to?
  3. Do our co-workers know, where the button is, or is it hidden in the dark corner of the intranet along with the incident response plans?

Seneste blogindlæg om sikkerhed

SecureX – Does X mark the spot?

SIEM, SOAR, Automation, Machine learning osv. Jeg kunne blive ved med at nævne buzzwords i lang tid. IT og i særdeleshed IT-sikkerhed bliver mere og...
Læs mere

Hvornår fik du dit kørekort?

Hvornår fik du dit kørekort? Overskriften er måske lidt misvisende, og metaforen holder nok heller ikke hele vejen til banken, men se om du kan...
Læs mere

Microsoft EAP-TEAP og Cisco Identity Service Engine

Af Jan Frank Nielsen, Systems Engineer, Conscia I dag er det næsten en selvfølge, at man implementerer 802.1x i sit netværk, ofte på trådløst netværk...
Læs mere

WannaTry again? SMBv3 Vulnerability Awakes!

SMBv3 vulnerability (CVE-2020-0796) explained and how to defend against zero-day attacks We have just learned about a new vulnerability of the SMBv3 protocol, for which...
Læs mere
Se alle blogindlæg