> > We would like to set up a list of rules for incident response. We just happen to be working on a project for that.
> Therefore I would to welcome any suggestions, links or articles > what an organisation should do after a minor, medium or major > incident has happened in a company (not only cyber-crime)? No links, but some pearls of wisdom :-) after six months into the project: - You need a risk assessment and a policy to define what is a major, medium or minor incident. - You need to know that something has happened at all, so you need a monitoring activitity and a monitoring team. - You need to be "proactive" (as you suggest), so you need a team that continuosly tries to find vulnerabilities and exploits in your infrastructure and reports them to the organization in structured manner. > When to contact the law enforcement agencies: - A matter of policies again and of network/computer forensics "post mortem". High damages (whether in money or reputation) may be worth a report to the police, others may need just an internal investigation (if insiders are involved), others are not worth the aggravation .... > ... Even incident response perhaps is partially a > top management activity? > Most definitevely YES! There are responses that are top management responsability (think of a major bank network under attack, only top management can be in the position to decide to "pull the plug off" ... ). -- Alessandro Bottonelli Axis-Net, Italy [EMAIL PROTECTED] [EMAIL PROTECTED]