This snapshot taken on 05/05/2009, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
 
 

Recovery

There are many variables to be considered when dealing with incidents of unauthorised access. These include:

  • The nature of the incident (prank, vandalism, fraud, etc.)
  • How long the incident(s) has (have) been going on
  • Who's noticed

These factors (amongst others) should help determine the nature of your response. Much of the impact will probably be to the organisation's reputation. Your response is therefore vital in recovering a damaged reputation, or stopping it from degrading further.

The following high-level principles should be considered before setting up a formal response:

  • The best aid to recovery is preparation. See our Business Continuity Management page
  • Just as reaction to a threat should be proportionate to the risk, response should be proportionate to the impact of the event. See our Risk Management  page
  • Make sure those involved understand their roles and responsibilities in the incident management process. Ensure sure that people know who's in charge and have the authority to speak for the company
  • Clarify channels of communication to all who need to know, including external parties such as the media and the police
  • Make sure those interested know what you have done to prepare. This should include published policy and education  initiatives, warnings and other pre-incident activities
  • The media can be your friend as well as your enemy, make them your friend
  • Remember that failing to disclose information to the media can rebound on you if they find it out through other channels; make use of any PR people you employ
  • Remember that the aim is to manage the effects of the incident. Don't be tempted to use 'spin' as an alternative; it will rebound on you
  • Assess (qualify) the intrusion. Ask yourself:
    • What is the nature of the intrusion?
    • Is it ongoing?
    • How long has this been going on?
    • Who knows about it?
    • Is there evidence  that needs to be preserved?

Other actions depend on the scale and potential impact of the intrusion. If necessary, you may have to consider escalating the incident to your crisis management team.

If there are legal concerns, or there is insider involvement, you should involve Human Resources, and be are aware of the implications. See our Legislation and Human Resources  pages.

Various Computer Emergency Response Team (CERT) bodies have compiled a more technical recovery checklist for Windows NT or Unix incidents. See: www.cert.org/tech_tips/win-UNIX-system_compromise.html

© Crown copyright2009