Response Ability: What To Do During a Computer Security Incident

CIOS ARE OFTEN EXHORTED?by this publication as well as by law enforcement groups?to report network security breaches. Many organizations are reluctant to do so, for a whole host of reasons. But in the months since Sept. 11, I’ve come to realize that reluctance is not the only barrier to effective response and reporting. Many executives simply don’t understand how to respond to a computer security incident, who to contact in the event of an incursion or what to tell them. That prompted me to launch an initiative to develop “Cyberthreat Response & Reporting Guidelines.”

An organization must respond in some way to a computer security breach; the better prepared it is to respond quickly and effectively, the better chance it will have to minimize the damage. These guidelines, developed in collaboration with industry professionals and law enforcement, are intended to provide a framework for developing a cyberthreat response and reporting capability.

The initiative has a modest goal. We restricted our recommendations to reporting incidents that are an attack on information systems or data (computer and/or Internet security). We did not attempt to address other types of cybercrime such as Internet fraud or pornography.

Creating and maintaining a secure information environment is difficult, expensive and complicated. Incident response is itself a complex subject, including the sometimes difficult decision of whether to share any information at all. There are excellent resources available to help CIOs and chief information security officers (CISOs) understand and address these challenges; you’ll find some of them listed as part of the guidelines under “Resources” at www.cio.com/research/security/response.

We believe that reporting cybercrime and network attacks is the right thing to do. Only by sharing information with law enforcement and appropriate industry groups will we be able to prosecute cybercriminals, identify new cybersecurity threats, and prevent attacks on our critical infrastructures and our economy. Law enforcement’s ability to identify coordinated efforts by cybercriminals is directly tied to the amount of reporting that takes place.

You may be reluctant to share information regarding the impact to your business and the sensitivity of the data involved in a security breach. While I won’t try to make the case for trusting specific agencies or organizations, I will encourage you to learn more about how they handle sensitive information.

My sincere thanks to the CIOs, CISOs and representatives from law enforcement who devoted time and attention to this effort (a list of contributors is included in the guidelines). During this period, they certainly had other urgent demands on their attention.