The first responder to a security incident has a number of important responsibilities. In this video, you’ll learn the roles of the first responder to a security event.
<< Previous Video: Incident Recovery and ReconstitutionNext: Data Breaches >>
Your Incident response policy should have a very detailed section on what do you do when you’re the first responder. If you’re the person who comes across this problem, comes across this issue, what do you do? And it needs to be well documented, in a lot of detail, because there’s many things you can do when you first arrive on the scene.
One of the things that’s very important is not to disturb the environment or to only disturb as little as possible. You want to be able to go back later, and recreate what occurred, and find information about what was there. Normally, you would have multiple people involved. You have a phone list, you call some people and you say, what do we do with the system? You want to be careful that you don’t damage any evidence that might already be there. You want to then follow the escalation policy for your organization. Again, this is something that’s documented.
Who do you call first? If this system is one of our incredibly important systems maybe we also bring in a director, or vice president, or CIO, or even higher level within the organization. There should be a call sheet. You should know immediately who to communicate with, and how to get the people on site that you need to resolve these types of issues, so that you can gather as much information as possible, inform as many people as possible, and have what you need later on to piece together what really happened.
Category: CompTIA Security+ SY0-401