CSIRP Accountability, Information Sharing, and

Communications Planning

End-to-End Process/Activity Accountability

All Processes and Activities − Have inputs and create outputs − Have suppliers responsible for the inputs − Have customer/consumers that receive the outputs

Inputs and Outputs − Have specifications: cost, timeliness, accuracy, etc

Customers/Consumers − Can be people, departments, other processes, decisions, and

external organizations

If the output of a process/activity doesn’t have a home why does the process/activity exist?

Two Process Management Concepts Combined: SIPOC and RACI SIPOC – Supplier, Input, Process, Output, Customer

− Identifies and Quantifies the inputs to and outputs from the process along with who is responsible for delivery and who receives the deliverables

RACI – Responsible, Accountable, Consult, Inform − Identifies the roles and responsibilities of those within the process

Total Accountability Model Metrics

Metric Defined for any Components and Rollup to Total Performance

Examples of CSIRP Measures o Dwell time includes:

Detection Review Analyze Identify Notify

o Containment includes: Collect Validate React

Measures from Mandiant White Paper: Using Metrics to Mature Incident Response Capabilities

Activity/ Process – Obtain, Implement, and Maintain the Cyber Security Insurance Policy

Accountable: Finance/Risk Management Officer

Activity/ Process – Communicate the Cyber Security Insurance Policy Finance/Risk Officer

− Cyber Liability Policy Requirements/Checklist − Insurance Broker Notification Requirements − Coverage Allocation

− What’s covered − Who provides services

− Fines and penalties − Internal response resource costs

− Personnel − Resources

− External response resource costs

Finance/Risk Management

Cyber Insurance Plan − Cyber Liability Policy Requirements/Checklist − Insurance Broker Notification Requirements − Coverage Allocation

− What’s covered − Who provides services

− Fines and penalties − Internal response resource costs

− Personnel − Resources

− External response resource costs

Technical

Information Technology/IT Security − Identify and analyze − Contain, eradicate, and recovery − Lessons learned (lessons learned applies to all facets to

improve both prevention and reaction)

Root cause analysis

Business Contingency Planning

All Departments - Management − Operations, Finance, Sales, etc

Operational Continuity With Degraded Resources Internal and external capabilities

Legal Department

Competent Cyber Incident Response Knowledge Coordinate and Execute Cyber Insurance Policy Notification Requirements

− Regulatory − Industry

Business Implications − Contractual Obligations − Service Levels

Law Enforcement Crime Resolution

Corporate Communications

Internal − Stakeholders − Operational service impacts − Management − Employees

External − Victims

− Consumers − Business Partners − Vendors

− Community/Market − Media

Human Resources

Employee Victim Services − Internal − Employees − Management

??? Customer Service

Victim Services − Internal − Employees − Management

External − Clients − Business Partners

CSIRP Process Resource Center for the NIST SP 800-61 R2 Incident Response Lifecycle Widely Referenced Incident Response Lifecycle Extensive Availability of Supportive Authoritative

Referenceable Sources

NIST SP 800-61 R2 Community CSIRP Process Resource Center Home Page

Mobilized Web-Based Computer Security Incident Response Plan

Visually Intuitive Navigation Centralized Access to

Supporting Resources −NIST SP 800-53, 83, 83r2, 84, 184, 86,

SANS, CERT, US & ICS-CERT, ISAC, MITRE, Specific Vendor Best Practices and more −Each phase contains relevant intuitive

workflows, supporting reference material where they apply within the process, and end-to-end accountability −Reference center provides additional

resources like threat playbooks and links to sites that provide malware remediation assistance

Home Page of CSIRP Process Resource Center – Expanded Intent & Key Definitions

CSIRP Home Page Linked Document CSIRP Web Framework Overview

CSIRP 1.0 Preparation

Preparation is about: − Establishing and training the incident

response team − Proactively planning specific

responses for the likely attacks the organization may face

− Acquiring the necessary incident response tools and resources

− Preparing the team to effectively react within minutes of unfamiliar attacks

− Testing plans and preparedness − Continuously improving the incident

response posture with lessons learned, industry updates, and reconnaissance

1.1 Create Computer Security Incident Response Team Charter (CSIRT)

CSIRT Charter − Establishes written

management commitment to the CSIRP

− Defines goals, scope, levels of authority, roles, and responsibilities

Step 1.4: Create Response Plans for Incident Types Defined in Step 1.2, the Compliance & Threat Requirements Library

CSIRP 2.0 Monitor, Detection, & Analysis

Monitor, Detection, & Analysis: − The Monitor function was added

to Detection and Analysis − Monitor, Detection, & Analysis is

about recognizing, receiving, analyzing and classifying all cybersecurity events and determining which are actual incidents vs. security or maintenance events

− Prioritizing the handling of incidents

− Event escalation path alternatives

2.1 Monitor and Detection

Workflow Screens Have Multiple Components

Total Accountability Bar − Combines two process management concepts; SIPOC and RACI − It identifies and assigns ownership to all aspects of the process. − It is also where tangibles of the process are defined, largely in

measurable terms. It helps define what success looks like.

Illustrates the Workflow as Designed for that Particular Portion of the Process

Contains additional links to documents that are SOPs and Work Instructions − Can link to specific locations within automated application

workflows

End-to-End Accountability & Performance Metrics – Total Accountability Model

Total Accountability Model – Combines SIPOC with RACI & Identifies Tangible Metrics

Total Accountability Integrated in All Workflows

Fingertip Access to SOPs and Work Instructions When Required in the Process

2.1 Monitor and Detection

2.2 Analysis

Fingertip Access to SOPs and Best Practices When Logically Required in the Plan

CSIRP 3.0 Containment, Eradication, & Recovery Containment, Eradication, &

Recovery is about: − Isolating the attacked system(s) − Quickly and effectively determining

the appropriate containment method

− Stopping the damage to the infected host(s)

− Tracking down other system infections and remedying them

− Ensuring the attack is fully remedied − Bringing functionality back to

normal − Monitoring to ensure there are no

lingering components of the attack

3.1 Containment, Eradication, & Recovery

CSIRP 4.0 Post-Incident Activity

Post-Incident Activity is about − Conducting robust assessments

of lessons learned − Ensuring the appropriate actions

are taken to prevent recurrence of the vulnerability exploit

− Conducting forensics to aid understanding and remedy the vulnerability, the exploit, and to support possible legal actions

4.0 Post-Incident Activities

4.0 Post-Incident Activities

CSIRP Information Center

Library Contains Integrated Full Document for Regulatory and Audit Requirements

CSIRP Management Contacts

Designed to Adapt to Desktops, Laptops, Tablet, and Mobile Phones

Can be Configured to Any Compliance Standards

Services and Contact Information

Contact: Henry Draughon Process Delivery Systems (972) 980-9041 hdraughon@processdeliverysystems.com www.processdeliverysystems.com

Process Center Development • Domain Content Research and

Development Policies, Guidelines, and Standards Domain Best Practices from Referenceable,

Authoritative Sources • Definitions and Visualization of Total

Accountability; SIPOC/RACI • Key Performance Measure Development • End-to-End Process Maps Segmented by

Logical Groups, Links to External Resources

• Applications, Forms, and Document Libraries, Resource Directories, Glossaries

• Process Governance and Policy Development

Manage the Forest and the Trees

Bridging the Gap Between Operations and Strategy

Watch the video: https://www.youtube.com/watch?v=nEW2LrC3-VE