Send a message
8 years ago
Absolutely. In the event of, for example, a virus infection (including a worm infection) you want to have had a response plan in place. You want general familiarity with the response plan, and ready access to it. Don't leave the only copy on a web page.
Hopefully everyone's pictured such an incident and developed and shared their reponse plan.
But as Mike points out at the beginning of the article, "security incidents can vary widely in size and target." Take, for example, the "virus successfully detected" events that occur when users visit web sites. I consider those to be events that need follow-up. For example, if one malicious file was detected how many malicious files were not detected?
If my response plan begins with (for example) "isolate the environment", I'll be tempted to not count the "virus successfully detected" event as a security event. Instead, I recognize that it needs a different response plan.
I'm sure this dilemma haunts Mike as well.