Tài liệu Các IRP nên xác định cách đội ứng phó sự cố nên tài liệu hành động của mình. Điều này quan trọng vì hai lý do, nó giúp để xem những gì đã xảy ra khi sự việc đã qua, và nó có thể giúp đỡ trong việc truy tố nếu thực thi pháp luật được gọi vào để hỗ trợ. Nó thường hữu ích | 71 Chapter 5 Policy NOTE It is never a good idea to retaliate. This may be an illegal act and is not recommended in any situation. Authority An important part of the IRP is defining who within the organization and the incident response team has the authority to take action. This part of the procedure should define who has the authority to take a system offline and to contact customers the press and law enforcement. It is appropriate to identify an officer of the organization to make these decisions. This officer may be a part of the incident response team or may be available for consultation. In either case the officer should be identified during the development of the IRP not during the incident. Documentation The IRP should define how the incident response team should document its actions. This is important for two reasons it helps to see what happened when the incident is over and it may help in prosecution if law enforcement is called in to assist. It is often helpful for the incident response team to have a set of bound notebooks for use during an incident. Testing of the Procedure Incident response takes practice. Do not expect that the first time the IRP is used everything will go perfectly. Instead once the IRP is written hold several walk-throughs of the procedure with the team sitting around a conference room table see Appendix D for sample incident response scenarios . Identify a situation and have the team talk through the actions that will be taken. Have each team member follow the procedure. This will identify obvious holes in the procedure that can be corrected. The IRP should also be tested in real-world situations. Have a member of the security team simulate an attack against the organization and have the team respond. Such tests may be announced or unannounced. Configuration Management Procedure The configuration management procedure defines the steps that will be taken to modify the state of the organization s computer systems. The purpose of .