emergency management
You will gain more knowledge in how to handle bad situatiuons
Know your capabilities
One of the absolus most important aspects of getting started, is to know you capabilities. You have align expectations with management. Its important to know if there are capabilities that needs to be handled elsewhere, like fx forensics or malware reverse engineering. These 2 examples requires special knowledge, and is somewhat expensive to maintain in a corporation. Therefore many might choose to hire in the specialists for these purposes.
You might want to start with creating a good description of the capabilities, there will be carreid out in the event of a incident. Even you might not have the above capabilities, but in most cases you might have the ability to create a triage. Triage is the introductory investegations, that is where you analyze for a set amount of time, ex 2-4 hours before passing on the assignment to 3´rd party. There is still alot of answers you are able to find, in this task.
Prepare for the worst
- What is the worst that can happen to your business
- Which systems have log data? (cloud services, network equipment, computers, websites, etc.)
- How can you collect such data? (If you report to the Police, they will ask for data that can "recreate" the scenario)
- How can you recover data? Do you have plans in place for backup? and do the plans and the backup work?
- What tools do you want in place? and where is it gathered?
These are just some of the questions you need to ask yourself. There are many scenarios that can happen in a business. The most important thing is that you identify what is important to you so that you can risk assess your systems and protect them according to best practices.
Create an overview
- Define who does what in case something goes wrong. Is there a war room and a board with who is on the task?
- Who is responsible for the incident and who communicates what is happening?
- Distribute the responsibility to those who have to collect data and if it is a large company, share a data manager. So data is stored and described correctly and with time stamps.
- What data is compromised?
Should authorities or the Police be contacted? & In that case, get them on board early in the process. There may be some good advice to pick up. Here you can ask for an IT outpost from NC3 (They are located in all police districts in Denmark))
Collection of data
If you want to report the incident to the police? so you should be aware that they will probably ask what data you have that includes the incident? and how they can be shared with the authorities. Here it is important that you have a copy of the data seen in the statement, and describe them so that those who have to look at the case know what they are looking at. Keep in mind that there are many different data sources, so describing what you can see in data is really important for those who need to analyze data.