ABSTRACT
Invariably, these and other policy issues are best
resolved well in advance of when they are needed.
Details likely to be overlooked can be documented in the plan. Often, a seemingly unimportant event turns
into a serious incident. A security administrator might
notice something unusual and make a note of it. Over
the next few days, other events might be observed. At
some point, it might become clear that these events
were related and constitute a potential intrusion.
Unless the organization has an incident response plan,
it would be easy for technical staff to treat the situation
as simply another investigation into unusual activity.
Some things may be overlooked, such as notifying
internal audit, starting an official log of events pertain-
ing to the incident, and ensuring that normal cleanup or
routine activities do not destroy potential evidence. An
incident response plan will provide a blueprint for
action during an incident, minimizing the chance that
important activities will fall through the cracks.