users notice something wrong: info missing, altered, unavailable,
reported as system problems by user to help desk or operations who should be trained to recognize security incidents.
incident notification procedures should be prearranged.
who, when, how (out-of-band communications)
log of events
Internal security incident management group.
CERT coordinate commnumication among experts during security emergency to prevent future incidents.
Most attacks are over a network and, once into a system, a hacker will use the network to broaden his control.
Partners affected: inform them, work with them:
upstream site: involved in intrusion before yours. attack coming from.
downstream site: involved in intrusion after yours. attack going to.
Law enforcement involvement as a business decision (unless required). Needed if other companies involved, or legal steps to identify hacker (eg. wire taps), collect evidence for prosecution. Know the laws and the agencies.
News media need skilled handling by trained public affairs office. Security incidents often handled quietly to avoid negative image, loss of business or reputation.