Incident Response belongs to everyone

Harlan asks "who decides what best practices are" in regards to Incident Response. Harlan is a forensics guy and has written an excellent book (I've only read 1 chapter but many others have told me how good it is) on Windows Forensics Analysis. Obviously forensics plays a part in many Incident Response scenarios. His answer to the question of who decided best practices is "It depends". And I agree.

Dr. Anton asked how PCI can be both complex and basic security. He asked that based on the fact that my PCI poll (as scientific as it was) said that 40% of you said that PCI is complex and 40% said that it was basic security. My take on that was "It depends".

On the Security Catalysts forums someone asked if NAC had any real value due to the fact that there are ways around it. My response again was "It depends".

Security depends on your company, your environment, your level of risk and risk acceptance. It depends on the level of competency of your IT and security staff. The level of competency of your end user employees. What partners, contractors, visitors, etc that are allowed to connect to your network. What controls you are willing and able to put in place. What policies you have and enforce. What level of buy-in you have from management. What does your IT environment look like. Is it new, old or a mix? It is small, medium or large? Is it complex or simple? Do you have lots of different apps or only the core ones required to do business. How big is your Internet facing presence.

This list could go on and on and on and on. There are too many variables to give a concrete answer to these and other similar questions. So the real answer is that it doesn't matter what your idea of the answer is. Your job, as a Information Security Professional is to do the best you can with what you have and plan for the worst. That is where the concept that IR belongs to everyone comes in.

Many companies have IR teams that jump into action at a moments notice. But what happens between the time a incident is discovered and the team is able to take action can make all the difference in the outcome of the teams work. The rest of the company, from end user to IT/IS needs to know what to do in the event of a incident. If they don't then they will invariably do something wrong that will hinder the investigation and fixing of the issue.

I've written too much so I don't have time to go into details here but suffice it to say that IR goes way beyond the team. It has to be dealt with at ALL levels if success in dealing with an incident is your goal.