Information technology programs must consider how to deal with potential computer security incidents. Security threats are many, varied and often times quite damaging. Incidents can include malicious code (viruses, worms, Trojan horses and so on), denial of service attacks, unauthorized access, and inappropriate computer usage.

While preventative steps can help minimize the occurrence of these types of incidents, it is not realistic to expect that all threats will be thwarted. Thus, not only should companies go about trying to prevent security incidents, they also should develop an ability for quickly detecting incidents, mitigating loss, curing the weaknesses that led to the incidents, and bringing computer services back to full capabilities.

The National Institute of Standards and Technology recently put together a Computer Security Incident Handling Guide that provides recommendations for computer security incident handling. These recommendations certainly are worthy of consideration.

Formal incident response capability

The first recommendation is that organizations should create and operate a formal incident response capability. This capability should include: creating an incident response policy, developing procedures for incident handling and reporting, setting guidelines for communicating with outside parties about incidents, selecting a team structure and staffing model, establishing relationships between the incident response team and other internal and external groups, determining the services the incident response team is to provide, and staffing and training the incident response team.

Reducing the frequency of incidents

The next recommendation is that organizations should reduce the frequency of incidents by properly securing networks, systems and applications. The point here is that preventing problems usually is less costly and more effective than dealing with them after they take place. Thus, organizations should provide adequate resources and personnel for the incident response capability to actively maintain the security of networks, systems and applications, such that the incident response team is freed up to focus on handling serious incidents.

Communication guidelines

Because organizations need to communicate with outside parties during incident handling, the next recommendation is that organizations should predetermine communication guidelines so that only the appropriate information is shared with necessary parties. Figuring this out in advance is critical, because the handling of incidents is fast-paced, and information released inappropriately or to the wrong parties can lead to greater financial loss and disruption.

Incident detection

A plethora of indications of incidents occur daily, recorded primarily by logging and computer security software. Therefore, it is recommended that automation is needed to perform initial analysis of data and select events of interest for human review. It is recommended that event correlation software and centralized logging be implemented in automating the analysis process. Of course, it is important that adequate information data is collected so that valuable information is covered by the software and logging.

Written prioritization guidelines

Incident handling must be prioritized, as some incidents, obviously, are more critical than others. It is recommended that incidents be prioritized based on the criticality of the affected resources (such as Web server or user workstation), and the current and potential technical effect of the incident (like root compromise or data destruction).

Use lessons learned

In addition to the foregoing, it is highly recommended that after a major incident, organizations hold a "lessons learned meeting" to discuss how effective the incident handling process was and to identify any improvements needed for existing security controls and practices. This is so important that it is suggested that such meetings take place periodically to review lesser incidents. Information gained from all of these meetings can be used to identify and fix security weaknesses.

Situational awareness

Because major incidents are complex, organizations often find it very difficult to maintain situational awareness during the crises caused by these incidents. Accordingly, recommendations include: establishing on-hours and off-hours contact and notification mechanisms for various individuals and groups within and outside the organization, preparing guidelines for prioritization of incident response actions based on business impact, preparing people to act as incident leads who have responsibility for gathering information from incident handlers and for distributing information to appropriate parties, and practicing in the handling of major incidents through simulations on a regular basis.

Wake up

The foregoing recommendations are smart, practical, and serve as a wake up call perhaps before it is too late for some organizations.

This article first appeared on Law.com.

Eric Sinrod is a partner in the San Francisco office of Duane Morris (www.duanemorris.com), where he focuses on litigation matters of various types, including information technology disputes. His column appears Thursdays at USATODAY.com. His Web site is www.sinrodlaw.com, and he can be reached at ejsinrod@duanemorris.com. To receive a weekly e-mail link to Mr. Sinrod's columns, please send an e-mail with the word Subscribe in the Subject line to ejsinrod@duanemorris.com.