This snapshot taken on 04/03/2010, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.

We're creating a single website for everything to do with BIS but, while we do that, you'll find information in three places. > Find what you're looking for

 
 

Recovery

The approach taken for recovery from an inappropriate usage incident largely depends on the nature of the event. Use this section to:

Consider the facts

There are many variables that need to be considered when dealing with incidents of inappropriate usage. These include:

  • The nature of the incident
  • How long the incident has been going on
  • Who has noticed

In most cases, the impact of inappropriate usage will be on the organisation's reputation. How you respond to such a breach is vital in recovering reputation, or at least for damage limitation.

For example, the immediate dismissal of a person found storing paedophile material is the only acceptable response. The immediate reporting of their activity to the police is also an absolute requirement.

Actions are harder to determine if, for example, someone has been broadcasting jokes that are offensive to some, but acceptable to the majority of people.

Basic principles of recovery

The following high-level principles should be considered before setting up a formal response:

  • The best aid to recovery is prevention 
  • Make sure those involved understand their roles and responsibilities. Ensure that people know who's in charge and has authority to speak for the company
  • Clarify channels of communication to all who need to know, including external parties such as the media
  • Make sure those interested know what you have done in terms of preparation. This should include a published policy, education initiatives, warnings and other pre-incident activities
  • The media can be your friend as well as your enemies; make them your friend
  • Remember that failing to disclose information to the media can rebound on you if they find it out through other channels; make use of any PR people you employ
  • Remember that the aim is to manage the effects of the incident. Don't be tempted to use 'spin' as an alternative; it will rebound on you

Basic steps for the recovery process

Any breach of information security should be dealt with in a structured manner. An Incident Management Policy (IMP) and supporting processes provides the best framework within which to react when recovering from inappropriate use of e-mail or Internet access.

The basic process involves:

These steps are not mandatory. Suggestions should be considered and actioned if they are deemed appropriate to individual circumstances.

Qualification

The first stage of any Incident Management Policy (IMP) is that of qualification. Ask yourself: "does the event qualify as an incident?"

Establish if there is, or has been, a threat to the organisation's business assets, regulations, or company policy. If the event qualifies then you should continue with the recovery process.

If the incident is on a larger scale you may need to invoke crisis management  procedures.

Containment

  • Record the time, duration and location of the incident
  • Determine if the affected system should be isolated or access paths removed to prevent further damage
  • Consider preserving the 'scene'. Take photographs, make notes of system connectivity, etc.
  • Consider creating a forensic  backup of relevant data or systems. For example, 'imaging' of computer systems to provide an evidential clone (in other words, to take a copy of the system as it was found)
  • Identify any records or logs that exist for the incident
  • Identify other evidence, for example, witnesses, CCTV, manual systems
  • Determine who should be notified, both internally and externally

Assessment

  • Determine the extent of the incident. For example, who knows, who has noticed?
  • Establish the value of evidence. For example, could it be needed in court?
  • Consider interviewing witnesses or relevant parties, including service providers etc.
  • Gather supporting evidence. For example, penetration test reports, network reviews and risk assessments
  • Gather staff evidence. For example, Human Resources records

Countermeasures

  • Apply appropriate technical upgrades, patches and configuration reviews. If you are in any doubt about upgrades or patches, always seek advice from your vendor
  • Increase network protection
  • Review intrusion detection devices and policy
  • Adjust server loads, access, etc.
  • Revise policy, staff training
  • Determine HR and contractual issues.
  • Review outsourcing agreements (as appropriate) and revise or negotiate liability clauses and warranties
  • Manage PR and publicity issues. For example, shareholders and the media
  • Involve appropriate external parties. For example, contact your local police force

Appraisal

  • Decide if you should report the incident to statutory bodies and consider incident reporting
  • Review Assessment & Countermeasures
  • Address disciplinary issues - see HR Issues
  • Consider legal proceedings
  • Address contractual issues.

Conclusions

  • Deal with external bodies where necessary
  • Start court or tribunal proceedings where necessary
  • Provision of managed or assisted security solution
  • Address PR issues

 

© Crown copyright2010