I recently attended a seminar at a well known southwestern school on building an Incident Response Team. During the discussion about Team membership, management oversight of the Team and related responsibilities, I noticed that the membership of the Team and the Oversight Committee was lacking some critical input.
An area often overlooked, especially when being developed by those in the Information Technology field, is the aspect of physical security. The campus police and the maintenance department were the two members lacking in this particular seminar. When I brought up this issue, it was dismissed with the equivalent of: “Oh, them.”
(They may never be getting into their offices again, or have decent air conditioning. And keys? forget it.)
Considering an “IT event” to be the only worthy event included in the IRT criteria for action is truly shortsighted. Physical events such as a string of burglaries on campus, flooding or water damage can have just as much impact on communications as a network outage. Not to mention the idea that those events would be a great shield for someone intent on attacking the network. If the IRT is unaware of these events, they become ineffective.
Not only that. Bringing physical security to the common IRT table is important for those folks, as well. They may be unaware of events in the IT world that would impact on securing the overall physical environment. Having all parties educate each provides a unified response, and that’s a much better incident response overall.