W4L1

avatar
Created by
Chelsey Acosta

Cards (28)

  • Cyber security incidents, particularly, serious cyber security attacks, such as advanced persistent threats (APTs), are now headline news. They bring serious damage to organisations of all types, governments, and international bodies. Ways to respond to these attacks in a fast, effective, and comprehensive manner are actively being developed at the very highest level in corporate organisations, government bodies, and international communities such as the World Economic Forum, where cyber security attacks are seen as a major threat
  • One of the best ways to gain some peace of mind when it comes to data breaches is to create and regularly test an Incident Response Plan (IRP)
  • according to the National Institute of Standards and Technology (NIST), an IRP simply provides “the instructions and procedures an organization can use to identify, respond to, and mitigate the effects of a cyber incident.” (IRM)
  • computer INCIDENT is a violation, or imminent threat of violation, of computer security policies, acceptable use policies, or standard security practices.
  • computer EVENT
    "an event is any observable occurrence in a system or network"
    "events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data."
  • computer INCIDENT lead to
    (a) negative impact to the company’s reputation,
    (b) inappropriate access to PII, PHI, or customer data, and
    (c) loss of intellectual property or funds.
  • Breach – when an organization has lost control of certain types of sensitive data, i.e., PII, PHI, or customer data.
  • THE NEED FOR INCIDENT RESPONSE TEAM (IRT)
    1. General Counsel (Legal)
    2. Chief Information Security Officer or Chief Information Officer (Management)
    3. Technical Leads (such as Security, Network, or Infrastructure)
    4. Human Resources
    5. Public Relations / Marketing
    6. Risk Management / Insurance
    7. Business Subject Matter Experts (as needed)
  • Although it is common to have one single team, another option is to create a core team and bring on ad hoc members as needed. Also, be sure to assign alternate members with decision making authorities, should a team member be unavailable when an incident arises.
  • PHASE 1 Prepare
  • Phase 2 Respond
  • Phase 3 Follow up
  • Preparing for a Cyber Security Incident
    Responding to a Cyber Security Incident
    Following up a Cyber Security Incident
  • PHASE 1 PREPARE
    • criticality assessment (CA)
    • cyber security threat analysis (CSTA)
    • consider implications of PPTI (CI)
    • control framework (CF)
    • review state of readiness (RSOR)
  • PHASE 2 RESPOND
    • identify cyber security threat (CST)
    • define objectives and investigate situation (O&IS)
    • take appropriate action (AA)
    • recover systems, data and connectivity
  • PHASE 3 FOLLOW UP
    • investigate incident more thoroughly
    • report incident to relevant stakeholder
    • post incident review
    • communicate and build on lesson learned
    • update key information, controls, and processes
    • perform trend analysis
  • Determine Authority to Call an Incident
    Your IRP should clearly state who has the authority to declare an incident. As soon as this person or team declares an incident, it should automatically invoke the IRP and convene the IRT.
  • Assign IRT Responsibilities
    Outline the roles of everyone on the IRT and clearly define each team member’s responsibilities. In the event of an incident, clarity would minimize confusion when tough decisions need to be made.
  • Do Not Assign Severity Levels
    While it may seem initially helpful to describe categories of severity and ramp up the response accordingly, the risk is too great that an incident can be mislabeled. Every declared incident should be considered a top priority with all hands-on deck.
  • Establish Communications Procedures and Responsibilities
    Determine how communication would flow. For example, how would the IRT communicate securely? Where would they meet (war rooms)? Is it safe to use corporate email? What should be communicated verbally, what should be written? Additionally, assign who will communicate with external parties, such as outside counsel, insurance carrier, law enforcement, the media, and regulators. Likewise, decide who would report to company e
  • Gather Pertinent Information
    have critical information compiled in preparation for an incident
  • Outline the Process
    Clearly indicate when the team must be convened and outline in detail all the steps in the process, including escalation points. Start with the incident report and end with lessons learned
  • Review and Test the Plan
    Review the plan quarterly and make updates accordingly.
  • State of Readiness
    PEOPLE, PROCESS, TECHNOLOGY, INFORMATION
  • People – Assigning an incident response team or individual; providing sufficient technical skills; enabling decisions to be taken quickly; and gaining access to critical third parties.
  • Process – Knowing what to do, how to do it, and when to do it, e.g., identify cyber security incident; investigate situation; take appropriate action (e.g., contain incident and eradicate cause); and recover critical systems, data, and connectivity.
  • Technology – Knowing their data and network topology; determining where their Internet touch points are; and creating / storing appropriate event logs.
  • Information – Recording sufficient details about when, where, and how the incident occurred; defining their business priorities; and understanding interdependencies between business processes, supporting systems, and external suppliers, such as providers of cloud solutions or managed security services.