Building an Incident Response Plan

Just like you have a plan for back-up and disaster recovery (you do, don't you?), you should have a plan for response to computer crime incidents. This will help you take the right steps, both in advance of an incident and after it, to make sure you have the right groundwork laid and don't shoot yourself in the foot. This is a large subject area and there are whole books on the subject, but basically you want to document a process for dealing with incidents so you can proceed without uncertainty when something happens.

With input from upper management, build a map that lays out your actions if certain things occur. Make sure you have the proper approvals from upper management to do certain things like involve law enforcement, or your job could be at risk. In larger companies this will probably involve lawyers and the public relations department, and this may quickly be taken out of your hands, which is fine as long as you understand your role in the process and that is clear to everyone. This action plan might look something like this in its basic form.

Contain the problem. Make sure that your assailants can't do any more damage.
Start any preliminary recovery/restore operations, making sure to preserve any evidence properly.
Assess the damage. Try to quickly determine monetary amounts of loss either in hard or soft dollars. Management tends to react quicker when presented with dollars and cents.
Report the problem to upper management for either referral to law enforcement or internal investigation.
Decide whether to do the investigation in house or bring in third-party professionals.
Proceed with internal investigation or assist law enforcement officials.