Need to build a CERT for your company ?

Friday, June 22, 2007

I came across this excellent article which gives you an high level overview of how to build and manage a CERT in your company, There are many low level details which are very much required but i would say this will give you a kickstart into which direction to go and what to look for to execute this task sucessfully.

Representation from all affected departments, including IT, human resources, public relations, marketing, legal, compliance and others. Identifying at least one person from each of these departments to be part of the team, sit in on meetings, and offer input and approval of response plans is best done before an incident happens.

"If you’re in the middle of the crisis [without a response team], you would have to figure out who the right people are [in each department] and you might make some wrong decisions," says Randy Barr, CSO of WebEx. "And people may have different ideas of what should happen. Then you’ve lost the ability to respond quickly."

-- My Take: All people of different departments should be specified clearly about this and they should be able to go extra mile in case of a breach or an attack and this team should have a weekly meeting to update each other with security issues in their departments or general feedback from their departments.

A clear communication channel with the executive team. At WebEx, Barr built a security committee and a security council. The committee, composed of employees from a number of departments, meets once a month. Issues it can’t settle are sent for a ruling to the council, which includes officers of the company. The council meets once a quarter for 30 minutes to keep up to date on security issues and to provide feedback to the company’s board of directors.

-- My Take: Unless excutive's are not involved security work will not go forward or not succed so it is very much important that they are aware and are promoting security work throughout organisation.

Deciding what outside professionals would need to be pulled in during an incident, and who those professionals are. If a company doesn’t have the technical, legal or other expertise in-house to deal with a data breach, the response team needs to identify those weaknesses. The team also should decide which legal firm, security consultant, public relations company and so forth the organization would work with in case of a crisis, and if possible, keep those professionals on retainer.

"You’ve got to have at least some sort of relationship with these professionals so you can make that phone call" at the time of the incident, says an investigation manager with a financial services company who asked that his name and his company name not be mentioned.

-- My Take: Incase you dont have an inhouse expert, do your backgroud research for good security experts in your area because you should not be wasting time when an incident has happened. Also internal team should be trained security issues so that the problem solving and incident reponse time is shortened.

A communication plan. Detail with whom the team will communicate, both internally and externally, and what it will say. The team should get management’s approval of prepared scripts, limiting the time that needs to be spent on small details during a crisis.

-- My Take: As soon as a incident happened dont send an email to or else your share prices will go down the next day and its not just that things should be kept secret till its over or till you have got the pieces togather. At times disclose of an incident has very bad and negative effect on the company.

-- Anish


  © Blogger templates Newspaper by 2008

Back to TOP