MY experience shows that without management approval and support, creating an effective incident response team can be extremely difficult and problematic. This support must be shown in numerous ways, including the provision of resources, and time, to the group of officers who will act as the team for implementing the CRT. This also includes senoir staff & managers and their officers committing time to participate in this planning process; their input is essential during the design effort.
It is important to have management's expectations and perceptions of the CRT's function and responsibilities. Without this information, a team may be built whose services and authority are not understood or appropriately used by the rest of the group.
Along with obtaining management support for the planning and implementation process, it is equally important to get management commitment to sustain CRT operations and authority for the long term. Once the team is established, how is it maintained and expanded with personnel, and resources? Will the role and authority of the CRT continue to be backed by management across the various constituencies or parent organization?YES, Without this continued support the CRT's long-term success may be in jeopardy.
Step 2: Determining the CRT Development Strategic Plan
I have Thought about how to manage the development of the CRT. What administrative issues must be dealt with, and what project management issues must be addressed
- Are there specific timeframes to be met?not as of yet, Are they realistic, and if not, can they be changed? yes & no
- Is there a CRT TEAM IN PLACE? Where do the group members come from? I want to ensure that all officers are represented. Some may not be on the team for the whole project, but brought in to provide subject matter expertise and input as needed. I also want to incorporate best practices in project management, organizational behavior theory, and communications theory into my plan. If anyone has a background in these areas, i will consider having them on the team.
- How do you let the senior staff know about the development of the CRT? A memo sent from myself announcing the project and asking each officer to provide assistance in any way possible . Letting the senior staff know about the plan for a CRT in the early stages of development can help staff feel they are part of the design process.
- once i have a team, i will record and communicate the information i am collecting, especially if the team is geographically dispersed
Step 3: Gathering Relevant Information
CRT will gather information to determine the incident response and needs that the response dictates .EVERY night i will take a look at the types of incident activity currently being reported within your command. This helps determine not only what type of help to offer but also the types of skills and expertise the CRT staff will need. For example, if CHAT COPS has been the victim of computer virus or worm activity, I will need staff with virus experience to handle the response. I will also have virus scanning, elimination, and recovery procedures, along with the appropriate anti-virus tools. I want people with good training and documentation skills(which i will provide for u) to help develop user awareness programs as a proactive step in dealing with virus activity.
I know what to identify & what information i need to know to plan and implement the CRT. I will determine who has that information and how best to elicit that information, either through general discussions or interviews or by making them part of the team.
I will meet with CRT officers to discuss not only their incident response needs, but to achieve an initial consensus on the expectations, strategic direction, definitions, and responsibilities of the CRT. MY definition of what a CRT is and does may be very different from officers definition or the definition of another part of CHAT COPS.I will use these discussions with the officers to outline and identify how each officer will need to interact with the CRT. The CRT team officers could include but are not limited to
- managers
. They need to understand what the CRT is and how it can help support CHAT COP processes. Agreements must be made concerning the CRT's authority over CHAT COPS GROUP and who will make decisions if critical systems get disconnected from the network or shut down. - Representatives from CHAT COPS
. How does the senior staff and the CRT interact? What actions are taken by senior staff and what actions are taken by CRT members during response operations? the CRT must have easy access to network and systems logs for analysis purposes.(we can get this from MSN) The CRT must be able to make recommendations to improve the security of the organizational infrastructure of CHAT COPS Any existing MSN groups, including physical security. The CRT will need to exchange information with these groups about computer incidents and may share responsibility with them for resolving issues involving computer or data theft. CRT SPECIALTIES. They can help develop threat and vulnerability assessments, along with encouraging computer security best practices across the CHAT COPS organization. - General representatives from the patrolmen
, CRT will & can provide insight into their needs and requirements.
CRT OFFICERS include anyone who will be involved in the incident-handling or notification process.I will think about who will need to be notified during different types of incidents. There are officers in other parts of CHAT COPS organization who can provide information or input to the CRT or with whom the CRT will need to share or obtain information. These may include other parts of the security departments, including any other MSN groups doing vulnerability assessments, intrusion detection, or network monitoring. Knowing what the CRT will need to do will help me identify the right people to be involved in developing the procedures.
THERE may also be some resources available for review that will help in my information gathering. These may include
- MSN systems and networks
- critical system and risk assesment
- existing disaster-recovery plans
- existing guidelines for notifying the SENIOR STAFF of a physical security breach
- any existing incident-response plans
- any existing security policies and procedures
Reviewing these documents serves a dual purpose: first, to identify existing resources, and second, to provide an overview of existing policies to which the CRT must adhere. As a bonus, these documents may contain text that can be adapted when developing CRT policies, procedures, or documentation. They may also include general notification lists of SENIOR STAFF who must be contacted during emergencies. Such lists may be adapted for CRT work and processes.
In addition, CRT OFFICERS will investigate what similar groups are doing to provide incident handling services . I have contacts at these organizations,i will see if i can talk to them about how their team was formed.I will take a look at other CRTs' web sites, and check their missions, charters, and service listing. This may give me ideas for organizing my team. I will review any books or other publications about incident handling or CRTs.
I WILL attend to your online courses & MSN messenger conferences that include sessions for developing incident response strategies . These venues can provide us with opportunities to exchange ideas . Step 4: Designing MY CRT Vision
As the information gathered brings to the forefront the incident response needs of the team and as we build our understanding of management expectations, WE can begin to identify the key components of the CRT. This allows me to define the vision for the CRT and its goals and functions. I need both management and officer support of these goals and functions for the CRT to be successful.
It is important to achieve clear agreement on the definition and expectations for the CRT being formed. What the CRT staff thinks the team will do and what the managers and officers think the CRT will do may be completely different. A number of officers have the perception that a CRT is a "cyber cop" for CHAT COPS. While this may be true it is not generally the main focus of a CRT. The main focus is to prevent and respond to incidents involving any percieved threat to the chat cops group or chat rooms. The vision for the CRT will include a clear explanation of where these CRT functions fit into the current CHAT COPS structure and how the CRT interacts with its officers. The vision explains what benefits the CRT provides, what processes it enacts, who it coordinates with, and how it performs its response activities.
In creating my team ,I will identify my officers . Who does the CRT support and service.
- I will determine the organizational model. How the CRT structured and organized.
- I will identify required resources. What staff, equipment, and infrastructure is needed to operate the CRT
Step 5: Communicating the CRT Vision
I will communicate the CRT vision and operational plan to management, my officers , and SENIOR STAFF who need to know and understand its operations. As appropriate, make adjustments to the plan based on their feedback.
Communicating my vision in advance will help identify process or organizational problems before implementation. It is a way to let officers know what is coming and allow them to provide input into CRT development. This is the way i begin marketing the CRT to the chat cop officers and gaining the needed input from all organizational levels.
I may receive information that was missed or not available during the information-gathering stage. I will use this information and input to make any final adjustments to the CRT organizational structure and processes.
Step 6: Begining CRT Implementation
Once management and officers input is obtained for the vision,i will begin the implementation:
- I will oversee & train initial CRT officers.
- I will develop the initial set of CRT policies and procedures to support CRT actions.
- I will define the specificiations for and build our incident-tracking system.
- I will develop incident-reporting guidelines and forms for CHAT COP officers .
A main resource i will need for our CRT is your incident-reporting guidelines. These guidelines define how CHAT COP officers interact with CRT, what constitutes an incident, what types of incidents to report, who should report an incident, why an incident should be reported, the process for reporting an incident, and the process for responding to an incident. They should be clear and understandable by the officers being served.
The process for reporting an incident includes a detailed description of the mechanisms for submitting reports: phone, email, web form, or some other mechanism. It also include details about what type of information should be included in the report.
The process for responding to an incident details how the CRT prioritizes and handles received reports. This includes how the person reporting an incident is notified of its resolution, any response timeframes that must be followed, and any other notification that occurs.
Step 7: Announcing CRT
When the CRT is operational,i will announce it broadly to the SENIOR STAFF . I will include the contact information and hours of operation for the CRT in the announcement. This is an excellent time to make available the CRT incident-reporting guidelines. I may also want to develop information to publicize the CRT, such as a simple flyer or brochure outlining the CRT mission and services,(this hasnt been authorized by the senior staff yet) which can be distributed with the announcement. .
Step 8: Evaluating the Effectiveness of the CRT
Once the CRT has been in operation for a while, SENIOR STAFF will want to determine the effectiveness of the team and use evaluation results to improve CRT processes and ensure that the team is meeting the needs of the group. The CRT, in conjunction with SENIOR STAFF and the officers, will need to develop a mechanism to perform such an evaluation.
Information on effectiveness can be gathered through a variety of feedback mechanisms, including
- general discussions with CRT MEMBERS & OFFICERS
- evaluation surveys distributed to CRT officers on a periodic basis
- creation of a set of criteria or quality parameters that is then used by an audit to evaluate the team
I will review previously collected information on the state of the officers or CHAT COPS before the implementation of the team. This information can be used as a baseline in determining the effect of the CRT on the group. Information or comparison may include
- number of reported incidents
- response time of an incident
- number of incidents successfully resolved
- information reported to the CRT about computer security issues or ongoing activity
- attentiveness to security issues within the organization
- preventative techniques and security practices in place
Remember that Patience Can Be a Key
The length of time it will take me to design, plan, and implement a CRT team will vary with each organizational situation. It is important to realize that it can take about 12-18 months to work out the processes and procedures, especially for a group like CHAT COPS . After the team is operational, it can take another 12-18 months to obtain a good level of trust and comfort with our group . WE may show a large growth in the number of incidents reported over our first year of operation. The longer we are in operation, the more our group will understand the work we are doing and the more likely that they will report to you.
This resource may provide additional insight: