Abe pointed out that it's important to have incident response policies in place prior to an incident. I had always thought in terms of a plan, tools, and team, but not policies. Let me list a few items to explain.
Using language Abe secured for his university as a template, I plan to try to gain approval for something like this as a blanket incident detection and response policy at my company:
The Director of Incident Response and authorized designees have the authority to take actions necessary to contain, detect, and respond to computer incidents involving company assets.
These actions will be consistent with company policies and applicable laws.
Please note the original language said "prevent" instead of "contain," but my company has a separate security services arm. "Contain," as in "limit the damage," is more appropriate for my team's scope.
Abe also recommends explicit policies for the following:
- Data collection and retention (I would add destruction too)
- Node blocking and disconnection
- Account suspension
- Password changes
- Data sharing
Abe's point is that pre-coordination is essential to giving the CIRT the ability to rapidly execute its response and containment mission during an incident. Signing these policies also sets expectations for the businesses as CIRT customers.