Jul 26 2007

Know the Difference Between Disaster Management vs. Incident Management

Hope for the best, but prepare for the worst.

The terms “incident response” and “disaster recovery” both refer to an organization’s handling of computer or network threats after a disastrous event. But implementing these responses never has to happen if a company plans for such possibilities before they occur. Preemptive measures can head off major debilitation, including legal ramifications, financial losses and even simply the tarnishing of a company’s good name.

“A disaster is thought of like a heart attack,” says Ken M. Shaurette, CISSP. “Disaster management could be thought of as the medicine or exercise program that your doctor has to keep you alive until you can recover from the heart attack. Incident management is all the symptoms that you might [have had] for several months before the heart attack.” Shaurette is also a certified information systems auditor and a certified information security manager.

While specific preventions and remedies vary among industries, for most networked entities, planning includes being ready for threats such as viruses, hack attacks, denial-of-service attacks (malware outbreaks in general), unauthorized access (including employee abuse of information systems), industrial espionage and even hoaxes or scams. 

“Networks and systems often stay up and keep working, with the exception of a host or two if it needs to be forensically examined,” says Kevin Beaver, CISSP, of Principle Logic, with regard to incidents. He regards disasters, on the other hand, as “all-out show stoppers” with networks down, Internet access unavailable and buildings being evacuated.

“It’s important to differentiate between the two,” says Beaver. “They’re both serious but typically require completely different mind-sets as well as separately documented plans and response procedures.”

Secure Physical Space

Planning means taking precautions, and starting from the ground up is a good idea. For example, storage media (disks, finger drives, paper documents and so on) should be maintained in reinforced cases or boxes so as to avoid water damage from flooding. (Whenever possible, paper documents should be transferred to digital media, which take up less space and pose less of a fire hazard.) Often overlooked, but equally dangerous, are furniture and fixtures that are not secured properly. Desks, filing cabinets and all tall furniture should be secured to walls or the ground so they’ll be less likely to topple over. Often, routine examination and maintenance of electrical and other wiring can prevent simple network and telephone disconnects.

After the Incident

After an incident has occurred — despite your organization’s preventive measures or from a lack thereof — some action must be taken. According to Simon Heron of Network Box, incident management means “being able to identify, analyze and correct issues.” This requires monitoring to identify systems that have moved out of normal operating parameters, determining whether the source of the incident can be understood and then taking action.

An example: Your network fails as a result of overheating. “System temperatures might increase, but this could be because the air conditioning has failed — a real-life example,” says Heron. “The corrective action: Get the engineers in.” Most of the time, correcting shortcomings where they’re identified is not only the response to and management of an incident but also becomes the prevention of another similar incident.

Whether your organization is able to devote large amounts of resources (in both financial capital and work hours) or your budget allows for only rudimentary preparation, planning ahead will pay off. Many businesses ignore arguments urging the need for incident planning, but rarely, if ever, do those organizations ignore an incident once their systems have been breached. Rather than succumb and go out of business, they’re able to devote capital to repairing the damage afteran incident, which is often costly. Instead, they could have avoided repair had they applied even a portion of those funds to preventive planning.  

Douglas Schweitzer, A+, Network+, iNet+, CIW, is an Internet security specialist and author of several information security books.