In the previous chapters you have learned of the myriad of settings, tools, techniques, and processes meant to keep your site safe. But what if you do everything right and yet by some undisclosed vulnerability or by another means the bad-guys break-in? Then you have an "incident". And incidents should be managed carefully for several reasons. An Incident Management plan is different from a Disaster Plan, but should be developed to work very closely with a disaster plan (or a business continuity plan).

Therefore, incident management is a blend of reactive and proactive services that help prevent and respond to computer security events and incidents. An incident management system is not a "single person" in many cases, but for the readers of this book it may be just that: a single person. The intent of this chapter is to give you a basic working model with which you can manage an inevitable incident.

The model we present is heavily based on the work Special Publication...