Post on 10-Mar-2018
1
Incident Response:
What Information Security & Business
Continuity Have In Common
Risk Management Process Goal is to Reduce
• Regulatory Compliance
• Robustness
• Vendor Management
• Records Management
• Risk Management
• Continuity Management
• Health & Safety Mgt
• Quality Management
• Workplace Violence
• Death-on-Site
• Death-on-Study
• Loss of Key Staff
• Loss of Intellectual Property
• Human Error / Sabotage
• Security Breach
• Failure of LAN / WAN
• Malicious Code Attacks
• Loss of InformationSystem Integrity
• Loss of data /vital records
• Inability to recover data
• Interrupted services
• Animal Activists
• Natural Disaster
• Fire, Explosion
• Pipe Break, Flooding
• Hazardous Spill
• Regulatory Change
Enterprise Risk and Crisis Management
2
Integrating the Risk Management Processes
• Success of the plan execution depends on the integration with other
related risk management activities
– Emergency Response
– Security
– Risk Management
– Human Resources
– Environmental Health and Safety
– Crisis Management
Program Governance*• Someone in charge
• Policies& standards
• Formal Reporting Process
Competencies• Requires specialized skills
• Pre-Planning*• Project Initiation and Management
• Risk Evaluation and Control
• Business Impact Analysis (Help define RTO & RPO)
Planning*• Developing Business Continuity Strategies
• Emergency Response and Operations
• Developing and Implementing ]Business Continuity Plans
• Execution• Detection
• Evaluation
• Response
• Recovery
• Resume Operations
• Post Mortem
• Post-Planning*• Awareness and Training Programs
• Maintaining and Exercising Business Continuity Plans
• Public Relations and Crisis Communication
• Coordination with Public Authorities (Emergency Management)
Program Governance– Someone in charge– Policies& standards– Formal Reporting Process
• Competencies– Requires specialized skills
• Pre-Planning– Project Initiation and Management– Risk Evaluation– Business Impact Analysis (Identify high impact systems)
• Planning– Developing implementation strategies– Incident Response and Operations– Developing and Implementing Information Security Plans
• Execution• Detection• Evaluation• Response• Resolution• Resume Operations• Post Mortem
• Post-Planning• Awareness and Training• Maintaining and testing Information Security Plans• Coordination with Public Authorities (Law Enforcement)• Public Relations and Crisis Management (PII Disclosure)
Common Elements
Program Governance
Program Governance*
– Someone in charge
– Policies& standards
– Formal Reporting Process
Program Governance*
– Someone in charge
– Policies& standards
– Formal Reporting Process
3
Competencies
Competencies
– Requires specialized skills
Competencies
– Requires specialized skills
Pre-Planning
Pre-Planning*
• Project Initiation and
Management
• Risk Evaluation and
Control
• Business Impact Analysis
(Help define RTO & RPO)
Pre-Planning*
• Project Initiation and
Management
• Risk Evaluation and
Control
• Business Impact Analysis
(Help define RTO & RPO)
Planning
Planning*
• Developing Business
Continuity Strategies
• Emergency Response and
Operations
• Developing and
Implementing ]Business
Continuity Plans
Planning
– Developing implementation
strategies
– Incident Response and
Operations
– Developing and
Implementing Information
Security Plans
4
Execution
Execution
• Detection
• Evaluation
• Response
• Recovery
• Resume Operations
• Post Mortem
Execution
• Detection
• Evaluation
• Response
• Resolution
• Resume Operations
• Post Mortem
Post-Planning
Post-Planning*
• Awareness and Training
Programs
• Maintaining and Exercising
Business Continuity Plans
• Public Relations and Crisis
Communication
• Coordination with Public
Authorities (Emergency
Management)
Post-Planning
– Awareness and Training
– Maintaining and testing
Information Security Plans
– Coordination with Public
Authorities (Law
Enforcement)
– Public Relations and Crisis
Management (PII
Disclosure)
Information – In Terms of IS
• The term “information” as used here includes information in human, physical, and electronic forms
• Some information can be considered critical to the organization’s success, such as that relating to:
– products
– processes
– finance
– customers, and
– copyrighted or patented intellectual property
• Loss or compromise of certain information can be harmful or even fatal to an organization, in terms of:
– damage to its reputation
– its financial status, or
– its operational ability to function
5
Balanced Security Program
A balanced Information Security Program embraces a carefully selected
set of foundational principles such as the guidelines promulgated by
the Organization for Economic Cooperation & Development, or the
Generally Accepted Information Security Pervasive Principles
1.
http://www.oecd.org/document/42/0,2340,en_2649_201185_15582250
_1_1_1_1,00.html
2 http://www.issa.org/gaisp/gaisp.html
IS Steps
• Generally, the first step is to identify and list information assets, properly
classified with respect to confidentiality, integrity, availability, and privacy
considerations
– Why not availability, integrity, confidentiality & privacy?
• If it’s not available every thing else is moot
• A risk assessment considering vulnerabilities, probabilities, and impact, should
be conducted to enumerate the risks to which the information assets,
objectives, and functions are exposed
• After understanding the risks, strategies can be defined and implemented to
mitigate those risks
• Recognizing that total risk elimination is impossible, it is important for the
Board to establish tolerable thresholds for known risks. This enables the
Board to convey its level of tolerance for various risks to executive
management in a meaningful way
Governance
• Establish Risk Thresholds for Critical Information Assets and Information-
dependent Functions and Objectives
• Establish Broad Information Security Program Principles and Assign Senior
Management Accountabilities for Information Security
• Protect Stakeholder Interests Dependent on Information Security
• Ensure Appropriate Information Security Requirements for Strategic Partners
and Vendors
• Comply with External Information Security Requirements (e.g. Sarbanes-
Oxley, HIPAA, GLBA)
• Establish Requirements for Internal and External Audits of the Information
Security Program
• Specify the Information Security Metrics to be Reported to the Board
6
Management• Establish Information Security Management Policies and Controls and Monitor Compliance—
Governance
• Assign Information Security Roles, Responsibilities, Required Skills, and Enforce Role-based
Information Access Privileges—Governance
• Assess Information Risks & Actively Manage Risk Mitigation—Risk Evaluation & Control
• Ensure Implementation of Information Security Requirements for Strategic Partners and
Vendors—third party assessments and vendor viability studies
• Identify and Classify Information Assets—Availability, Integrity, Confidentiality & Privacy
• Ensure Business Continuity—included in ISO17799
• Approve Information Systems Architecture during Acquisition, Development, Operations, and
Maintenance—integration into business and system development life cycles
• Protect the Physical Environment—physical security, threat mitigation controls
• Ensure Internal and External Audits of the Information Security Program with Timely Follow-up
• Specify the Information Security Metrics to be Reported to Management—maturity model16
Technical
• User Identification and Authentication
• User Account Management
• User Privileges
• Configuration Management
• Event and Activity Logging and Monitoring
• Communications, Email, and Remote Access Security
• Malicious Code Protection, Including Viruses, Worms, and Trojans
• Software Change Management, including Patching
• Firewalls
• Data Encryption
• Backup and Recovery—Disaster Recovery Element
• Incident and Vulnerability Detection and Response—Incident Management
• Specify the Technical Metrics to be Reported to Management
• Information Security Program Elements and Supporting Metrics
SIRP
Section 1: Overview:
What this document covers and how to use itSection 2: Structure of the Security Incident Response Team (SIRT)
Types of incidents addressed by the SIRTVirus
Unauthorized access of PIILaw Enforcement Requests
Identity TheftDenial of Service
Other malicious code attacks
7
SIRP
Section 2: Phases of incident response process
Detection—Potential sourcesNotification—Composition based on type of incident
Documenting the incidentAssessment—Team mix per location-may include third
partiesPrioritization of proposed actions & notification of affected
partiesContainment—Roles/responsibilities per location
Disclosure Process—if PIIRecovery—Repairing the damage and resuming
normal business operationsPost-Mortem
SIRP
Section 2 cont’d:
Incident information management
PIINon-PII
InvestigativeNon-investigative
Briefing participants-Confidentiality of informationDecision trees per type of incident
Flow chart of actionsDocumenting the incident
Status ReportingCorporate, Operating Units, Third Parties,
Law Enforcement, Regulatory Contacts
SIRP
Section 3: Reference
Contact listsInformation owners and custodians-prioritized list
Precursors and indicatorsInformation sources
CERTOther related sites
Section 4: Forms
8
Terminology
• SIRP
– Security Incident Response Plan
• SIRT
– Security Incident Response
Team
• IS
– Security Center of Excellence
• OOP
– Office of Privacy
• GLBA
– Gramm, Leach, Bliley Act
• SB 1386
– Senate Bill 1386 (California
Legislation)
• PII
– Personally Identifiable
Information
• HD
– Help Desk
• BU / BUC
– Business Unit / Business Unit
Coordinator
• DoS, MalCode, IU, UA
– Denial of Service, Malicious
Code, Inappropriate Use,
Unauthorized Access
• ISP / ASP
– Internet / Application Service
Provider
Why Create A SIRP
• Regulatory requirements
– GLBA
– SB 1386
• Malicious code threats
• Intruder / Unauthorized Access threats
• Disclosure threats
Recent Activity
• The fastest growing crime in the nation
– As of a 2003 Gartner and Harris poll
• 19,178 per day, 799 per hour, 13.3 per minute
• California ranks 2nd in the nation (FTC Annual Report)
• Identity Theft Incidents
– Ford Credit (13,000 notified, 400 customers)
– Choice Point Breach (third party ring)
– AOL/PayPal ‘phishing’ (May 2004)
– Bank of America (backup tapes)
– Global Crossing (post of SSN on website)
9
The Likely Types of Threats
• Denial of Service
• Inappropriate use of systems
• Malicious Code
– Virus
– Worms
• Intruders / Unauthorized Access
– Identity Theft
– Access to consumer and customer information
• Personally Identifiable Information
– Company qualified PII
– SB 1386 defined PII
Introduction – Incident Response
• Incident Response is not rocket science, but:
– When an information security incident occurs there are basic steps that
should be remembered
Introduction (continued)
1. Remain calm—don’t panic
2. Enforce a ‘need to know’ policy—the perpetrator may be internal
3. Notify the right people and get help—it takes a team to succeed
4. Contain the problem—stop the crisis ASAP
5. Take good notes—documentation is critical
6. Use out of band communications (phone, fax, etc.)—you don’t know who’s watching and listening
7. Make a backup of the affected system(s) as soon as practicable—evidence & analysis
8. Get rid of the problem—correct the exposure
9. Get back in business
10. Conduct a post-mortem—understand what happened and potentially correct the exposure
10
SIRT Core Team
• Authorize a Central Point of Control to direct the SIRT activities
– Information Security Manager responsibilities
• Management and coordination of information security response
• Ensure incident is logged and documented
– Office of Privacy responsibilities
• Determine that PII was / was not involved
– If PII is involved, ensure appropriate response occurs
– Legal responsibilities
• Provide on-going support and legal guidance
– Interface with law enforcement
SIRT Organization
• Put the right people in the right place with the right preparation to make a
difference
– SIRT Core will identify the right people for the jobs
• Local Teams
• Centralized Teams
• Command Team
• Combination Teams
– Teams are to collect historical information
• Right people, right place, right preparation
– Ensure that all outside communications goes through the Corporate
Communications and Legal groups
– Follow the provided checklists and flowcharts as guidelines, not strict
practices
SIRT Organization
11
SIRT Team
Business UnitCoordinators
Sales
Development
RegulatoryAffairs
CorporateCommunications
CSCOperations
RiskManagement
Human
Resources
Internal
Audit
TCPRLegal
SCOE
OOP
SIRT
CORE
Triage Team
Support
Team
Third Party
(IBMDataCenter, IBM
DeskSide, TMS,NetSec, etc.)
SIRT Member Obligations
• ALL expanded SIRT Members are obligated to:
– Report incidents and activities to the SIRT Core
– Coordinate all actions and communications with the SIRT Core
Sales Development:
• Be able to directly contact distributors and wholesalers
• Coordinate with sales force on customer-facing applications
• Involved in decision making on systems that affect their groups
Regulatory Affairs:
• Provide support for incident response where Insurance (GAP, Credit Life) are
involved
Corporate Communications:
• Develop communications, jointly with the SIRT Core, relating to information
security incidents
• Prepare briefs and talking points for Company executives
• Coordinate and act as primary interface for all media
Other SIRT Members
12
CSC Operations
• They serve as the front end interface to the customer body and are responsible for updating the customers in case of any problems faced
• Involved in decision making on systems that affect their groups
Risk Management:
• Provide risk management insight
• Support law enforcement interface and coordination
Human Resources:
• Provide information to the SIRT regarding policies/procedures for incidents originating from human resources
• Provide direction for response to inappropriate use by internal resources
Internal Audit:
• Gather information from SIRT and provide support and guidance asneeded
• Guide SIRT in maintenance and audit of the SIRP
Other SIRT Members (continued)
Business Unit Coordinator (BUC):
• Coordinate response activities as directed by the SIRT and disseminate
incident information at the Business Unit Level
• Serve as the BU single point of contact for the IS and HELP DESK
• Engage and oversee Triage Team members within the business unit
• Evaluate the severity level of the incident (with the SIRT) and update if
necessary
Triage Team:
• Perform response activities as directed by the BUC and SIRT Leader
• Review audit trails, log files, file system contents, etc. to determine the
symptoms, cause, and the source of the incident
• Preserve data on system server(s) or workstation(s) (working with the site
“Physical Security Coordinator”)
• Triage the cause of the incident and restore affected systems to normal
Other SIRT Members (continued)
Support Team:
• Assisting SIRT team with logistics, communications, resources, purchasing
and anything else that may be required.
Third-party (for example):
• IBM Deskside- Provide desktop support, including file servers and print
servers; messaging and information protection (i.e., resolve trouble tickets for
desktop support assigned by the HD). Monitor HD information to determine if
a security incident is occurring
• External Consulting Experts-Provide support for computer forensics and
investigation, in the event that this service is required
• Internet Service Provider- In some instances, ISPs may provide assistance in
investigation such as locating and blocking the source of an attack; particularly
Denial of Service (DoS) attacks.
• NetSec- They may provide key information from logs and Intrusion Detection
Systems (IDS) to assist in forensic computer investigations that may also be
used as evidence in a civil or criminal case.
Other SIRT Members (continued)
13
Communications
• Excellent communications enables a successful response
• To avoid break-downs consider:
– Having a Central Point of Control
– Practicing “Need to Know” guidance
– Contact lists and methods (both backed up offsite)
– Incidents do NOT happen at convenient times
– Expect to receive appropriate communications
• Daily, weekly, hourly … as required
• Two Levels – Working / Management
– Communicate support needed to management and SIRT
– Various modes of communication may be used
– Provide communication, it is key for decision-making
Team Preparation
• Training
– Make It Ongoing
• Calendar planning/training dates at least annually
– Expand types of scenarios—consider new threats
– Conduct different types of exercises
• Desktop / Walk-through
• Operational
• Full-scale Simulations
• A properly trained team can help events flow more smoothly during an
incident
– Set up tools and techniques training
– Be prepared with some high capacity drives for backup storage
– Have third-party contacts in place
Team Preparation
14
System Administrators
• Sys Admins are key to discovering anomalies
• Guidelines include:
– Involvement and preparation
– Encouragement of regular system backups
– Utilize intrusion tools such as anomaly detection/logging and ensure tools
are turned-on
– Perform penetration testing regularly
• At least annually
• Usually only experienced incident handlers are capable of determining
whether or not the incident is genuine.
– Note: It may not be considered an incident unless it violates your
security policy
– Check for simple errors (e.g., system configuration, h/w failures,
user/system admin errors, etc.)
– Assess the evidence in detail by following the list of indicators
Determining Incident Actuality
• SIRP discusses the four major kinds of incidents that are highly likely
to occur:
– Denial of Service attacks (DoS)
– Malicious Code
– Unauthorized Access (UA)
– Inappropriate Usage (IU)
• Also, a general approach is included
Relevant Kinds of Incidents
15
Chain of Custody
• Referral for prosecution
– Either requested by the company
– Or by Law Enforcement
• Evidence collection and the Chain of Custody
– Identify / Tag pieces of evidence
» Number, date, signed notes/printouts
» Originals kept pristine
» Copies used for diagnosis
– Evidence under lock and key
• Two person control system
• Close coordination with an ISP/ASP is key
– Ask for aid in investigation
– Have ISP contact information readily available
– ISPs: keep a copy of logs
• Notify appropriate officials
– Immediate manager and Information Security Lead/Mgr should be notified
when the incident begins
ISP/ASP Coordination
• An on-site team may be deployed to gather information promptly and correctly
• Deploy a small team
• If possible, physically secure the area
• Use survey forms or an engineer’s notebook
• Review information from identification phase
• Keep the system(s) pristine
• Keep a low profile
• Avoid looking for the intruder with obvious methods
• Maintain standard procedures
• Avoid potentially compromised code
Containment
16
• Backup the system
– To avoid data destruction, backup entire system to new, unused media
– Safely store any backup tapes and media sources so that they will not be
lost and/or stolen
• Change passwords
– Passwords on all compromised systems should be changed (Strong
Passwords)
– If a sniffer is detected/suspected, change passwords of appropriate LANs
Containment (continued)
Risks
• Shut down or continue to run, both are tough decisions
– Input from end-users and senior management
– Provide information quickly to help the SIRT make decisions as quickly
as possible
– Review affected systems and neighboring systems-delays may allow
propagation of damage
– Provide recommendations to management and SIRT
• It is critical to keep all parties informed
– ‘Need to know’ basis
– End-user communications through the SIRT
– Status of IT systems tracked and reported
• Never allow “fault finding” to be an issue during incident handling – it
distracts the team’s response
– Encourage, motivate and commend co-workers for a job well done
– Factors leading to the incident will be identified and discussed during the
post-mortem
Briefings
17
• Start a log book (like an engineer’s notebook) using ink to record items,
such as:
• Assumptions and Observations
• Ideas and Hypotheses
• Dates and Times
• People contacted
• Actions taken
• Safeguard the evidence
• Gather latest configuration details
• Try to do this without modifying the targeted system
Collect information
• Some options are:
– Isolate the system from the network and initiate damage assessment and
analyze how the attack was executed
– Employ applicable protection techniques such as firewall and/or router
filters, move the system to a new IP location
– Perform system vulnerability analysis
• Using automated vulnerability assessment tools
Recovery
– Remove the cause of the incident
• Virus incidents:
– Use of commercially available automated virus eradication
software
– Malicious code infection:
• For well-known Trojan horses, & certain worms – commercial
software may suffice for eradication
• Ensure that there are effective procedures by which updates to
commercial anti-viral programs are available
Recovery (continued)
18
– Remove the cause of the incident (continued)
• Network intrusion:
– Determine whether attacker has modified the configuration on the
affected system
» If yes, immediately disconnect the system from network until the
completion of forensic analysis
» Unless, IS and/or law enforcement suggests otherwise in order to
monitor the attacker for subsequent action
– If attacker discovers your action, IS will decide on whether to call law
enforcement support
– Team members should refrain from direct contact with an attacker in
the absence of a written policy
Recovery (continued)
– Locate the most recent clean backup
• Search for a pre-intrusion backup
– Restore the system from backups or reload the entire system
– Validate the system with users
• Users’ approval: that data is intact and system is operational
• Management approval: when to restore operations
– IT will monitor closely to ensure system functionality and safety
Recovery (continued)
– Damage Assessment:
• Is the incident over?
• What critical assets were involved, if any?
• Assess financial impact
• Is continued operation possible?
• Re-evaluate any/all recent changes to your site’s configuration
• Track and report progress
Recovery (continued)
19
• Post-mortem reporting is essential to the whole process
– Start as soon as possible after the event
– Assign the task of lessons learned
– Include forms used
– Encourage review of the draft
– Attempt to reach consensus
– Conduct an official Post-mortem meeting
– Generate an executive summary document
– Management receives recommendations
– Implement management approved actions to avoid future incidents
Follow-up Reporting
Security Incident Response Plan
• The SIRP:
– Is a document providing guidance to
the Security Incident Response Team
– May be used for response to all information security incidents
Document Design
• The SIRP is comprised of seven sections to assist the Company SIRT through
an information security incident. The seven sections are:
– Overview
– Checklists
– PII Incident Response Procedures
– Forms
– Appendices
– Reference Sections
– Quick Reference Card
20
Overview
• The overview provides a high level description of the different phases of an
incident and describes the administrative duties in relation to the document
itself (i.e. scope, maintenance, testing, etc.)
• It introduces the concepts of an Incident Response and describes, at a high-
level, the operability of the Security Incident Response Team in relation to
other Company resources
Checklists
• The Checklists provide recommended procedures for handling a variety of incidents
• They cover such response areas as:
– Information Security Incident Response Process
– Initial Incident Handling
– SIRT Decision Points
– Denial of Service (DoS) Incidents
– Malicious Code Incidents
– Unauthorized Access Incidents
– Inappropriate Usage Incidents
– Multiple Component Incidents
– Generic Incidents
– Incident Post-Mortem Meeting
• Each Checklist has a flowchart that provides high-level decision points
PII Incident Response Procedures
• PII Incident Response is driven by GLBA and SB 1386
• The PII Incident Response Procedures cover
– Preparation for Notification
– Notification Procedures
• Acquisition
• Timing of Notification
• Contacting Law Enforcement
• Whom to Notify
• Coordination with Credit Reporting Agencies
• Contents of Notice
• Form and Style of Notice
• Means of Notification
21
Forms
• The Forms are designed to help various SIRT positions capture necessary data.
This section includes the following forms:
– First Responder Form
– SIRP Evidence Logging Guidelines
– Incident Response Status Report Summary
– Report Posting Matrix
– Phase Tracking Form
– Post-Mortem Report Example
– Sample Virus Communication Format
Appendices
• Appendices contain more fluid information that should be updated regularly.
These include:
– Terms and Definitions
– Post-Mortem Report Example
– Sample Virus Communication Format
– Incident Escalation Flowchart
– Business Contacts
– Data Owners and Custodians List
Reference
• The Reference Section contains reference information that may be useful to
members of the SIRT and the Triage Teams
• It provides more detailed information about specific threats and is available as
an educational tool to enhance the understanding of those participating in the
incident response process
22
Quick Reference Card
• Two Quick Reference Cards (QRC)
– SIRT – QRC
• The Quick Reference Card (QRC) is designed to assist the SIRT toquickly decide what Severity Level to assign to an incident
• Each level is described along with a brief description to assist in identifying the types of incidents
– Field – QRC
• The Field – QRC is designed to allow field operations (CSC Managers, etc.) to determine the type of incident and what response is appropriate
• This is limited to the four areas of information security (DoS, MalCode, IU, UA)
SIRP Disclaimer
• On the front cover of the SIRP
– Disclaimer: Throughout this Security Incident Response Plan (SIRP)
guidance, procedures and direction are given. At no time is it to be implied
or presumed that the guidance, procedures or direction are all
encompassing. Rather, this SIRP is a guide to handling information
security incidents, each of which is different in nature and scope. It is up
to the team of incident responders to fulfill their roles and to use their
judgment and knowledge as to the best response and actions to take for
that incident.
Actual Incident Direction
• If this is an actual incident go
DIRECTLY to the Forms and
Checklists areas of this Plan for
direction in dealing with the
event.
– Go to Page 3 of the SIRP
STOP
23
General Incident Escalation
• Appendix D: Incident Escalation Flowchart
– Go to Appendix D
• Here is a graphical representation of how an incident will be escalated and the
SIRT notified of an event
• Specific contact information for the Help Desk and the IS are provided
First Responder Form
• First Responder Form
– Go to the Forms Section, Form 1
• Form Instructions
– Instructions are provided as guidelines on using the Form
• Incident Classification
– Rather than providing a checklist the QRC is referenced
• The QRC is a Quick Reference Card on the LAST PAGE of the SIRP
First Responder Form (continued)
24
First Responder Form (continued)
First Responder Form (continued)
SIRP Logging Guidelines
• General guidance on evidence logging
– Go to Forms, Form 2 – SIRP Logging Guidelines
• Specifics determined on a case-by-case basis by the SIRT Team Members
• Guidelines deal with:
– Collection Guidance
– Documentation Guidance
– Capturing and Preserving Documentation
25
Incident Handling
• In every incident there is a general guideline provided by the SIRP
– It is guidance and not a strict methodology
– Go to the Checklists Section, Checklist 2
Initial Incident Handling Flowchart
O b t a in r e l e v a n t a n dd e t a i le d i n f o r m a t io n
f r o m t h e r e p o r t i n g
p a r t y ( ie s )
W h o r e p o r t e d t h e
i n c i d e n t ?
O b t a i n d e t a i l e d a n ds p e c i f i c i n f o r m a t i o n
I s i t a v a l id
c o m p u t e r s e c u r i t y
i n c id e n t ?
A n a ly z e t h e
s y m p t o m s r e p o r t e d
L o o k f o r c o -
r e l a t e d
i n f o r m a t i o n w i t h in
t h e in f o r m a t io n
o b t a i n e d
P e r f o r m r e s e a r c h
o n s y m p t o m s
r e p o r t e d
R e p o r t a c t i o n s t a k e n t o H e l p
D e s k a n d r e a s o n i n g , w h o u p d a t e s
t h e r e p o r t e d i n f o r m a t io n a n d
c l o s e s t h e t r o u b l e t i c k e t , a f t e r
r e p o r t in g i t i n F o r m 3 - I n c id e n t
R e s p o n s e S t a t u s R e p o r t S u m m a r y
A s s e s s i n c id e n ts e v e r i t y l e v e l b a s e d
o n p o t e n t i a l
b u s in e s s i m p a c t
E s c a la t e t h e i n c id e n t
t o S I R T L e a d e r i f i t
f i t s c e r t a i n c r i t e r i a
D o e s i t n e e d t o
b e e s c a la t e d ?
I n d ic a t e t o S I R T L e a d e r
i f i n c i d e n t i n c lu d e s P I I
a n d /o r m u l t ip le b u s i n e s s
u n i t s
D o e s i t i n v o l v e P I I
?
C o n t a c t T F S O o P a f t e r e s c a la t i n g t o I T S e c u r i t y a n d
i n v o k e P I I I n c id e n t R e s p o n s e p r o c e d u r e ( F o l l o w in g t h e
C h e c k l i s t s s e c t i o n )
I n c i d e n t R e p o r t( S e e F o r m 3 -
I n c i d e n t R e p o r t )
N o t i f y a f f e c t e d B U
C o o r d in a t o r s o f
i n c i d e n t
S e t u p a c o n f e r e n c e
c a l l a n d c o n t a c t a l lp a r t i c ip a n t s t o
d is c u s s t h e i n c i d e n t
( S I R T L e a d e r , T F S
H e lp D e s k ,a f f e c t e d B U
C o o r d i n a t o r s )
E v a lu a t e a n a ly s i s
a n d i n i t ia l i n c i d e n t
s e v e r i t y
P e r f o r m
a d d i t i o n a l
r e s e a r c h , i f
n e c e s s a r y
C o n t a c t T F S H e lp
D e s k t o u p d a t e
i n c i d e n t s e v e r i t y
l e v e l
( S I R T L )
R e c o n f i r m t h ea s s e t s t h a t h a v e
b e e n a f f e c t e d a n d
f o r e c a s t t h e a s s e t s
t h a t m i g h t b e
a f f e c t e d ( S I R T L ,B U C o o r d in a t o r )
D O N O T C O N T I N U E
W I T H T H E
C H E C K L I S T
D o e s i t i n v o l v e
P I I ?
C la s s i f y t h e
in c i d e n t
b a s e d o nt h e a n a l y s i s
C o n t a c t a n da s s e m b le t r i a g e a n d
s u p p o r t t e a m s a s
n e c e s s a r y
T r a c k a n d r e p o r t
t o p r i m a r y B U
C o o r d i n a t o r A L L
a c t i o n s t a k e n
I n c id e n t R e p o r t
( Se e F o r m 3 -I n c id e n t R e p o r t )
E n s u r e
r e p o r t i s
u p d a t e d
c o n s t a n t l y
C o m p l e t e t h eC o n t a in , N o t i f y ,
R e c o v e r p h a s e s b yo b t a i n i n g a n d
f o l lo w i n ga p p r o p r i a t e
i n c i d e n t c a t e g o r yc h e c k l i s t , e l s ef o l l o w G e n e r i c
I n c id e n t C h e c k l i s t( C h e c k l i s t 1 1 -
G e n e r i c I n c i d e n t s )
E n d P r o c e s s
T h ir d -p a r t y
O t h e r
N o
N o
Y e s
L e g e n d :P r o c e s s D e c is io n T e r m in to r R e p o r t
D E T E C TW i th i n 0 - 2 H r s
Y e s
N o
In f o r m a t io n
S o u r c e /G r o u p / T e a m
C o n n e c t o r t o /f r o m a n o t h e r p r o c e s s
A = C o n n e c t o r f r o m 3 r d P a r t y R e s p o n s e P r o c e s s
O O P = C o n n e c t o r t o O O P f o r P I I I n c id e n t
R e s p o n s e P r o c e d u r e
P a ge C o n n e c t o r
Y e s - S B 1 3 8 6C o n t a c t T F S O O P
Y e s - T F S P II
C o n t a c t T F S O o P
a f t e r e s c a l a t in g t o
I T Se c u r i t y a n d
i n v o k e P I I
I n c i d e n t R e s p o n s e
p r o c e d u r e
( F o l l o w in g t h e
C h e c k l i s t s s e c t i o n )
T F SP I I
N o
I n c id e n t R e p o r t
( Se e F o r m 3 -
I n c id e n t R e p o r t )
O O P
Unauthorized Access Checklist
• Each ‘type’ of incident is provided an actionable checklist
– Go to the Checklists, Checklist 8
• Review the items captured in the Checklist
• Provides assistance during an incident
• Allows for SIRT and Triage Team to stay connected at a high level
– Go to the Unauthorized Access Flowcharts
• Immediately following Checklist 8
26
Post-Mortem Process
• Go to Checklist 12 – Incident Post-Mortem
– Steps that can be taken to complete a Post-Mortem of the incident
– Not all steps are appropriate for every incident
– A format example can be found in the Appendices
• See Appendix B, Post-Mortem Report Example
COLE EMERSON MBCP CPP
Director
Information Risk Management
KPMG LLP
Mr. Emerson a Sacramento California based Director specializing in Business Continuity Management serves as the BCM Product Champion for the Western Region and is one of the national thought leaders for BCM within KPMG. Cole has over 29 years of experience in developing and evaluating many aspects of enterprise risk management, including Business Continuity, Crisis Management, Disaster Recovery, Data and Vital Records Management and Project Risk Management for national and international businesses and governments.
Background & Qualifications
Mr. Emerson received a Bachelor of Science in Business Administration from the University of Redlands and his Master Business Continuity Professional (MBCP) certification – one of less than 80 globally - from DRII. The American Society certifies Mr. Emerson for Industrial Security (ASIS) as a Board Certified Protection Professional. Prior to joining KPMG, Cole managed his own firm for 12 years, where he developed and implemented Business Continuity, Crisis Management, and Disaster Recovery programs for Fortune 500 companies. Mr. Emerson has extensive and unique experience utilizing business continuity plans and managing recovery teams in actual major disasters.
Contact details
Email: chemerson@kpmg.com
Office: 1-916-554-1777
Cell: 1-916-296-9747