Post on 31-Mar-2018
CSIRP Accountability, Information Sharing, and
Communications Planning
End-to-End Process/Activity Accountability
All Processes and Activities − Have inputs and create outputs − Have suppliers responsible for the inputs − Have customer/consumers that receive the outputs
Inputs and Outputs − Have specifications: cost, timeliness, accuracy, etc
Customers/Consumers − Can be people, departments, other processes, decisions, and
external organizations
If the output of a process/activity doesn’t have a home why does the process/activity exist?
Two Process Management Concepts Combined: SIPOC and RACI SIPOC – Supplier, Input, Process, Output, Customer
− Identifies and Quantifies the inputs to and outputs from the process along with who is responsible for delivery and who receives the deliverables
RACI – Responsible, Accountable, Consult, Inform − Identifies the roles and responsibilities of those within the process
Total Accountability Model Metrics
Metric Defined for any Components and Rollup to Total Performance
Examples of CSIRP Measures o Dwell time includes:
Detection Review Analyze Identify Notify
o Containment includes: Collect Validate React
Measures from Mandiant White Paper: Using Metrics to Mature Incident Response Capabilities
Activity/ Process – Obtain, Implement, and Maintain the Cyber Security Insurance Policy
Accountable: Finance/Risk Management Officer
Activity/ Process – Communicate the Cyber Security Insurance Policy Finance/Risk Officer
− Cyber Liability Policy Requirements/Checklist − Insurance Broker Notification Requirements − Coverage Allocation
− What’s covered − Who provides services
− Fines and penalties − Internal response resource costs
− Personnel − Resources
− External response resource costs
Finance/Risk Management
Cyber Insurance Plan − Cyber Liability Policy Requirements/Checklist − Insurance Broker Notification Requirements − Coverage Allocation
− What’s covered − Who provides services
− Fines and penalties − Internal response resource costs
− Personnel − Resources
− External response resource costs
Technical
Information Technology/IT Security − Identify and analyze − Contain, eradicate, and recovery − Lessons learned (lessons learned applies to all facets to
improve both prevention and reaction)
Root cause analysis
Business Contingency Planning
All Departments - Management − Operations, Finance, Sales, etc
Operational Continuity With Degraded Resources Internal and external capabilities
Legal Department
Competent Cyber Incident Response Knowledge Coordinate and Execute Cyber Insurance Policy Notification Requirements
− Regulatory − Industry
Business Implications − Contractual Obligations − Service Levels
Law Enforcement Crime Resolution
Corporate Communications
Internal − Stakeholders − Operational service impacts − Management − Employees
External − Victims
− Consumers − Business Partners − Vendors
− Community/Market − Media
Human Resources
Employee Victim Services − Internal − Employees − Management
??? Customer Service
Victim Services − Internal − Employees − Management
External − Clients − Business Partners
CSIRP Process Resource Center for the NIST SP 800-61 R2 Incident Response Lifecycle Widely Referenced Incident Response Lifecycle Extensive Availability of Supportive Authoritative
Referenceable Sources
NIST SP 800-61 R2 Community CSIRP Process Resource Center Home Page
Mobilized Web-Based Computer Security Incident Response Plan
Visually Intuitive Navigation Centralized Access to
Supporting Resources −NIST SP 800-53, 83, 83r2, 84, 184, 86,
SANS, CERT, US & ICS-CERT, ISAC, MITRE, Specific Vendor Best Practices and more −Each phase contains relevant intuitive
workflows, supporting reference material where they apply within the process, and end-to-end accountability −Reference center provides additional
resources like threat playbooks and links to sites that provide malware remediation assistance
Home Page of CSIRP Process Resource Center – Expanded Intent & Key Definitions
CSIRP Home Page Linked Document CSIRP Web Framework Overview
CSIRP 1.0 Preparation
Preparation is about: − Establishing and training the incident
response team − Proactively planning specific
responses for the likely attacks the organization may face
− Acquiring the necessary incident response tools and resources
− Preparing the team to effectively react within minutes of unfamiliar attacks
− Testing plans and preparedness − Continuously improving the incident
response posture with lessons learned, industry updates, and reconnaissance
1.1 Create Computer Security Incident Response Team Charter (CSIRT)
CSIRT Charter − Establishes written
management commitment to the CSIRP
− Defines goals, scope, levels of authority, roles, and responsibilities
Step 1.4: Create Response Plans for Incident Types Defined in Step 1.2, the Compliance & Threat Requirements Library
CSIRP 2.0 Monitor, Detection, & Analysis
Monitor, Detection, & Analysis: − The Monitor function was added
to Detection and Analysis − Monitor, Detection, & Analysis is
about recognizing, receiving, analyzing and classifying all cybersecurity events and determining which are actual incidents vs. security or maintenance events
− Prioritizing the handling of incidents
− Event escalation path alternatives
2.1 Monitor and Detection
Workflow Screens Have Multiple Components
Total Accountability Bar − Combines two process management concepts; SIPOC and RACI − It identifies and assigns ownership to all aspects of the process. − It is also where tangibles of the process are defined, largely in
measurable terms. It helps define what success looks like.
Illustrates the Workflow as Designed for that Particular Portion of the Process
Contains additional links to documents that are SOPs and Work Instructions − Can link to specific locations within automated application
workflows
End-to-End Accountability & Performance Metrics – Total Accountability Model
Total Accountability Model – Combines SIPOC with RACI & Identifies Tangible Metrics
Total Accountability Integrated in All Workflows
Fingertip Access to SOPs and Work Instructions When Required in the Process
2.1 Monitor and Detection
2.2 Analysis
Fingertip Access to SOPs and Best Practices When Logically Required in the Plan
CSIRP 3.0 Containment, Eradication, & Recovery Containment, Eradication, &
Recovery is about: − Isolating the attacked system(s) − Quickly and effectively determining
the appropriate containment method
− Stopping the damage to the infected host(s)
− Tracking down other system infections and remedying them
− Ensuring the attack is fully remedied − Bringing functionality back to
normal − Monitoring to ensure there are no
lingering components of the attack
3.1 Containment, Eradication, & Recovery
CSIRP 4.0 Post-Incident Activity
Post-Incident Activity is about − Conducting robust assessments
of lessons learned − Ensuring the appropriate actions
are taken to prevent recurrence of the vulnerability exploit
− Conducting forensics to aid understanding and remedy the vulnerability, the exploit, and to support possible legal actions
4.0 Post-Incident Activities
4.0 Post-Incident Activities
CSIRP Information Center
Library Contains Integrated Full Document for Regulatory and Audit Requirements
CSIRP Management Contacts
Designed to Adapt to Desktops, Laptops, Tablet, and Mobile Phones
Can be Configured to Any Compliance Standards
Services and Contact Information
Contact: Henry Draughon Process Delivery Systems (972) 980-9041 hdraughon@processdeliverysystems.com www.processdeliverysystems.com
Process Center Development • Domain Content Research and
Development Policies, Guidelines, and Standards Domain Best Practices from Referenceable,
Authoritative Sources • Definitions and Visualization of Total
Accountability; SIPOC/RACI • Key Performance Measure Development • End-to-End Process Maps Segmented by
Logical Groups, Links to External Resources
• Applications, Forms, and Document Libraries, Resource Directories, Glossaries
• Process Governance and Policy Development
Manage the Forest and the Trees
Bridging the Gap Between Operations and Strategy
Watch the video: https://www.youtube.com/watch?v=nEW2LrC3-VE