Top Considerations for Incident Response
|
|
- Dale Bell
- 8 years ago
- Views:
Transcription
1 Top Considerations for Incident Response INTRODUCTION Incident response is a key part of any comprehensive security plan. However, many firms are not even sure where to begin to create an incident response process. While LegalSec will be producing templates for an incident response plan document in the near future, this document provides a high level overview to get you started on preparing for incident response at your firm. TAKE STOCK OF YOUR DOCUMENTS Proper documentation and access to that documentation during an incident response is crucial to proper and effective handling of an incident. Ultimately, the documentation gathered is going to act as the run book or action plan for how the firm responds during an emergency. When possible, add any and all documentation available and identify areas with deficient records. It is better to have the documentation and never need it, than to need it and never have it. An incident response plan may span the length of several careers and it is important that the knowledge necessary to handle an incident is retained within the firm. What do you want documented? A good starting place is Information Security Management System documentation (Policies/Standard/Procedures), Incident Response Plan, Contact Lists (internal/external for key vendors), logins and passwords for key systems, business continuity plans, network diagrams and any data maps that identify where the most sensitive information is located. HAVE A PROCESS FOR DETECTING AN INCIDENT As part of a comprehensive incident response process, it is important to identify the indicators for detecting an incident. Retain important log files for a sufficient amount of time to facilitate any investigation and make sure your firm retention schedules accurately reflect the appropriate retention time. Some top potential indicators of an incident are as follows: 1) User reports of suspicious activity such as clicking on a phishing link, lost/stolen media or device. 2) Web server log entries that indicate the use of a vulnerability scanner. Examples of this and other windows log entries can be found at the NSA site. 3) Antivirus software alerts detecting that a host is infected with malware. 4) A network administrator noticing unusual network traffic flow. 5) An administrator noticing a large number of bounced messages with suspicious content. 6) An application logging multiple failed login attempts from an unfamiliar remote system. 7) A host s audit log recording a change in its configuration. 8) A threatened attack upon the firm from a hactivist or similar group. 9) An announcement of an exploit targeting known vulnerabilities of the firm s mail server. 10) A network intrusion detecting sensor alerting of a buffer overflow attempt on a database server.
2 11) A system administrator observing a filename with unusual characters. 12) Abnormal activity within the Document Management System. Employees should be trained as part of security awareness to report all suspicious activities. (See Information Sharing and Education below.) FORM AN INCIDENT RESPONSE TEAM Good incident response requires the identification and training of first responders who can form an incident response team. Members of this team will be responsible for classifying an incident, investigating and mitigating an incident, and reporting status as appropriate. When considering members of this team, consider: 1. Internal technical resources such as subject matter experts, top technical people from areas such as networking, desktop, server setup or other areas. 2. Vendors and other external resources that add skills your firm may not have on staff, such as forensic analysis. 3. Public Relations personnel, for both internal and external communications. 4. An official records keeper. 5. Risk Management / General Council / Privacy Attorney. 6. A team leader. Each team member should know his/her role, even though the roles of the team may vary based on classification of the incident Part of forming a team includes identifying a clear chain of command. That chain of command should answer questions such as: 1. Who is authorized to mobilize the incident response team? 2. Who is operationally in charge of the team during an incident? Avoid too many chiefs. 3. Who in firm leadership should be notified (CIO, Information Security Office Managing Partner, firm s General Counsel, Compliance Officers) and who are their backups in case those people are unavailable? As you form a team, consider that some incidents can be resolved very quickly, but some responses may take days or weeks. As a part of the communication role, it should be noted who will be briefing which groups (Executive Committees/Chair/General Counsel/etc.) and what is the maximum time between briefings. Once the team is formed, the firm will want to train them on the firm s incident response plan. HAVE A DOCUMENTED INCIDENT RESPONSE PLAN Firms require a documented incident response plan for when (not if) the firm must respond to an incident. There are many example documents available (see reference section at the end of this paper), and LegalSec will be providing templates designed for law firms in the near future. However you start, you should tailor the plan so that it is actionable by your firm. Starting with standards such as the ISO series is a good start. However, firms make a mistake if the incident response plan is an aspirational document that follows best practices that the firm cannot follow. Any auditor, whether
3 third party, a client or an ISO 27001certification body, will check to ensure that your incident response plan matches your standard practices. Another tip: a well written incident response plan should be written with sufficient detail and clarity that a junior member of the incident response team could execute the plan as written. All firms have different levels of skill and there are many detailed and nuanced approaches available for creating an incident response plan. However, at minimum, the incident response plan should cover Roles and Responsibilities, Investigation, Triage and Mitigation, Recovery, and Documentation. ROLES AND RESPONSIBILITIES: The incident response plan should identify the members of the response team and what their roles will be for a given incident. (See Form an Incident Response Team section above for details.) INVESTIGATION Initially, the firm s incident response team will classify an event. Not all events rise to the level of potential incident. The incident response plan should accommodate responses to multiple types and classifications of incidents (e.g. physical theft, hacking, lost device). The investigation step may require the firm to engage external resources, so these relationships should be set up in advance of any incident and documented in the plan. This section should then cover the investigation approach for each incident type, including what to look for, who to involve, and how to document what is found. TRIAGE AND MITIGATION The triage and mitigation steps are the natural extension of the investigation step. As the team identifies potential exposure, they should plan and execute effective mitigation. For many incidents, the plan should include the incident type and steps for mitigation. For some incidents, the response may require more complicated and coordinated actions to remove attackers from your environment, and some firms may not have the expertise or experience to document all steps. Each type of incident should include details for vendors who may need to respond, such as an ISP during a Denial of Service attack, or a forensics firm to mitigate a complex Advance Persistent threat. RECOVERY The recovery step is the transition from active incident to standard monitoring. The plan should document the steps for transition given the particulars of the firm s environment and approach. For example, when returning a compromised machine to production, is it acceptable to clean infection residue or should the machine be wiped cleaned, formatted and rebuilt from known good media? DOCUMENTATION The incident response plan should provide instructions on the final form of the incident documentation, how long it should be retained, and who should be involved. Considerations include regulatory requirements and guidance from your firm s General Counsel and/or Privacy Attorney.
4 OTHER AREAS TO CONSIDER A comprehensive incident response plan will also address post-incident reviews for lessons learned, guidance on information sharing, the plan for communicating with internal users, clients and members of the media as necessary, and the process for gathering and reporting on incident metrics to measure incident cost and continuous improvement. Last but not least, the incident response plan should address the education requirements for both the team, and for the firm s users who might play a key role in detecting an incident. INFORMATION SHARING AND EDUCATION All computer users should receive training on what a security incident is, and how to report any suspected security incidents so that members of the incident response team can properly investigate, classify and, if necessary, mitigate and escalate. Training on what constitutes an incident should include a range of scenarios, from a suspected malware infection, to a lost mobile device, to concern about an insider threat. These items can be reported to the Service Desk, a Security Team Hotline, or in an automated fashion, but the reporting mechanism should be available at all times. The firm should have already defined an incident response team and incident response plan (see sections above). Members of that team will classify reported potential incidents, and the firm should have a defined reporting and escalation procedure based on the classification. The following are considerations to follow in classifying an incident: 1. The operational impact and value of data at risk. 2. The type of incident, based on specifics of reported incident. 3. The type (or suspected type) of perpetrator(s) either known or unknown. 4. The geographic scope of the impact. a. Is the impact confined to a single or a few users? b. Is the impact/confined to an entire office? c. Is the impact/confined to the Data Center(s)? d. Is the impact to the entire firm? Based on how a potential incident is classified, different people in the firm, or outside of the firm, may need to be notified, or play a role in response. The escalation procedures should include plans for communicating with internal users, engaging law enforcement, involving strategic vendors such as forensic personnel, and a plan for communicating with clients and the media. Firms should involve the General Counsel s office (or equivalent) when building reporting and escalation procedures to ensure factors such as regulatory obligations, contractual obligations, and insurance obligations are properly considered as the incident investigation proceeds. All team members should be trained in a common lexicon of language to ensure prompt and clear communication during an incident response. Each incident response team member should be trained on the various roles within the team, and should understand what role or roles they should perform for a given incident. Finally, the team should regularly practice incident handling, which includes practicing classification of the potential incident, utilizing the documentation collected, reporting the status to various members of the team during the investigation, updating leadership, keeping records and, of course, practicing mitigation techniques. These exercises and actual experience will provide insight into potential process improvements.
5 CONTINUALLY IMPROVE YOUR PROCESSES While the completion of an incident response plan is a major accomplishment, it is likely that, upon completion, it is already out of date. Unfortunately, the threat landscape changes so rapidly that the plan will be a continually evolving document. Below are three ways to improve the firm s incident response processes and keep the plan nimble and ready to meet the challenges of an evolving future. DEFINE AND PRACTICE DRILLS Once the firm s plan is in place, run through part or all of it as a table top exercise. Gather the various stakeholders and talk through different scenarios and how the group would react. Document the results of these exercises and incorporate the findings into your plan. As new people join the firm s incident response team, make sure they understand how important these mock drills. Another way to practice the firm s plan is to do a live test. This test can be as simple as dropping a thumb drive on the floor of the office and seeing what happens, to simulating a data breach or phishing attack. The goal here is not to scare peers into submission or shame them about what they may have done wrong, but rather to illustrate how your plan works or does not work when put to real world tests. CONDUCT A POST MORTEM After any drill, the most important piece is the post mortem. Adding lessons learned both positive and negative to your firm s plan is essential to keeping it current and relevant to your firm s office environment. Keeping versions of the plan after every drill will help track the evolution of the plan and which previous lessons learned were either integrated successfully and which need to be revisited. Acting on lessons learned, as well as integrating the things you uncover in your drills or real incident responses, will make the plan more flexible and applicable to real-life incidents. SHARE INFORMATION ABOUT THREATS WITH OUTSIDE PARTIES No one knows everything and the larger one can make one s tent with regards to incident response, the better the outcome will be. To this end, bring peers in on your discussions and share parts of your plan with key vendors and other trusted advisors. If you have not already, subscribe to the ILTA LegalSec peer group. Consider joining InfraGuard or other information sharing organizations. Finally, if your client s are members of an industry specific ISAC (Information Sharing and Analysis Center), ask them if you can get in the loop to receive and share information as appropriate. Bring firm management into the fold by briefing them on drills and giving them after-action reports on actual incidents. These reports should include the General Counsel, but also reach to the highest level of management. CONCLUSION This document should provide a starting point for firms looking for a place to start. Look for further resources from ILTA LegalSec in the near future.
6 REFERENCES NIST SP R2 Computer Security Incident Handling Guide ISO (Note: you must pay for this document) Simple IR plan from Proactive Risk ILTA LegalSec UC Computer emergency response team page Financial Services Industry Information Sharing and Analysis Center
7 ACKNOWLEDGEMENTS This document was assembled for ILTA LegalSec with contributions from the following: Team Members Tom Brennan Mark Brophy Brian Donato Gerard F. Haubrich Patrick Kohnle Joel Lytle Will Pulsifer John Verry Phil Townsend Wei Tschang Phil Waterbury Organization Proactive Risk Keno Kozie Vorys, Sater, Seymour and Pease LLP Drinker Biddle Lockpath Jackson Walker Smith Debnam Pivot Point Security Wyche Fried, Frank, Harris, Shriver & Jacobson LLP McDermott Will & Emery Document History Date Name Changes First Draft
Cyber Security Metrics Dashboards & Analytics
Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics
More informationIT Security Incident Management Policies and Practices
IT Security Incident Management Policies and Practices Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Feb 6, 2015 i Document Control Document
More informationEcom Infotech. Page 1 of 6
Ecom Infotech Page 1 of 6 Page 2 of 6 IBM Q Radar SIEM Intelligence 1. Security Intelligence and Compliance Analytics Organizations are exposed to a greater volume and variety of threats and compliance
More informationCyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology
Cyber Security Incident Handling Policy Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Oct 9, 2015 i Document Control Document Owner Classification
More informationKEY STEPS FOLLOWING A DATA BREACH
KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationGEARS Cyber-Security Services
Florida Department of Management Services Division of State Purchasing Table of Contents Introduction... 1 About GEARS... 2 1. Pre-Incident Services... 3 1.1 Incident Response Agreements... 3 1.2 Assessments
More informationInformation Security Incident Management Guidelines
Information Security Incident Management Guidelines INFORMATION TECHNOLOGY SECURITY SERVICES http://safecomputing.umich.edu Version #1.0, June 21, 2006 Copyright 2006 by The Regents of The University of
More informationFour Top Emagined Security Services
Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security
More informationAppendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises
Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis
More informationInformation Security Incident Management Policy and Procedure
Information Security Incident Management Policy and Procedure Version Final 1.0 Document Control Organisation Title Author Filename Owner Subject Protective Marking North Dorset District Council IT Infrastructure
More informationSession 334 Incident Management. Jeff Roth, CISA, CGEIT, CISSP
Session 334 Incident Management Jeff Roth, CISA, CGEIT, CISSP SPEAKER BIOGRAPHY Jeff Roth, CISA, CGEIT Jeff Roth has over 25 years experience in IT audit, security, risk management and IT Governance experience
More informationInto the cybersecurity breach
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationProtecting against cyber threats and security breaches
Protecting against cyber threats and security breaches IBM APT Survival Kit Alberto Benavente Martínez abenaventem@es.ibm.com IBM Security Services Jun 11, 2015 (Madrid, Spain) 12015 IBM Corporation So
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More informationCyber Incident Response
State Capitol P.O. Box 2062 Albany, NY 12220-0062 www.its.ny.gov New York State Information Technology Standard IT Standard: Cyber Incident Response No: NYS-S13-005 Updated: 03/20/2015 Issued By: NYS ITS
More informationAUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520
AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies
More informationProgram Overview. CDP is a registered certification designed and administered by Identity Management Institute (IMI).
Overview Certified in Data Protection (CDP) is a comprehensive global training and certification program which leverages international security standards and privacy laws to teach candidates on how to
More informationPRIORITIZING CYBERSECURITY
April 2016 PRIORITIZING CYBERSECURITY Five Investor Questions for Portfolio Company Boards Foreword As the frequency and severity of cyber attacks against global businesses continue to escalate, both companies
More informationIncident Response Plan for PCI-DSS Compliance
Incident Response Plan for PCI-DSS Compliance City of Monroe, Georgia Information Technology Division Finance Department I. Policy The City of Monroe Information Technology Administrator is responsible
More informationASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES
ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming
More informationO N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response workflow guide. This guide has been created especially for you for use in within your security
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationComputer Security Incident Response Plan. Date of Approval: 23- FEB- 2015
Name of Approver: Mary Ann Blair Date of Approval: 23- FEB- 2015 Date of Review: 22- FEB- 2015 Effective Date: 23- FEB- 2015 Name of Reviewer: John Lerchey Table of Contents Table of Contents... 2 Introduction...
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationIMS-ISA Incident Response Guideline
THE UNIVERSITY OF TEXAS HEALTH SCIENCE CENTER AT SAN ANTONIO IMS-ISA Incident Response Guideline Incident Response Information Security and Assurance 12/31/2009 This document serves as a guideline for
More informationPresented by Evan Sylvester, CISSP
Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationDepartment of Management Services. Request for Information
Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley
More informationIncident Handling. Applied Risk Management. September 2002
Incident Handling Applied Risk Management September 2002 What is Incident Handling? Incident Handling is the management of Information Security Events What is an Information Security Event? An Information
More informationCYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES
CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES The information provided in this document is presented as a courtesy to be used for informational purposes only. This information
More informationSecurity Incident Response Process. Category: Information Security and Privacy. The Commonwealth of Pennsylvania
Security Incident Response Process Category: Information Security and Privacy The Commonwealth of Pennsylvania Executive Summary The Commonwealth of Pennsylvania is a trusted steward of citizen information.
More informationITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS
ITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationCIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System
CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised
More informationSTATE OF NEW YORK PUBLIC SERVICE COMMISSION
COMMISSIONERS PRESENT: Garry A. Brown, Chairman Patricia L. Acampora Gregg C. Sayre Diane X. Burman STATE OF NEW YORK PUBLIC SERVICE COMMISSION At a session of the Public Service Commission held in the
More informationBelmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
More informationComputer Security Incident Response Team
University of Scranton Computer Security Incident Response Team Operational Standards Information Security Office 1/27/2009 Table of Contents 1.0 Operational Standards Document Overview... 3 2.0 Establishment
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationHarvard University Payment Card Industry (PCI) Compliance Business Process Documentation
Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation Business Process: Documented By: PCI Data Security Breach Stephanie Breen Creation Date: 1/19/06 Updated 11/5/13
More informationInformation Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy
Bolsover District Council North East Derbyshire District Council & Rykneld Homes Ltd Information Security Incident Management Policy September 2013 Version 1.0 Page 1 of 13 CONTROL SHEET FOR Information
More informationDRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario
DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? Drive-by Downloads are a common technique used by attackers to silently install malware on a victim s computer. Once a target website has been weaponized with
More informationInformation Technology Policy
ITP Number ITP-SEC024 Category Security Contact RA-ITCentral@pa.gov Information Technology Policy IT Security Incident Policy Effective Date August 2, 2012 Supersedes Scheduled Review Annual 1. Purpose
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationTest du CISM. Attention, les questions, comme l'examen, ne sont disponibles qu'en anglais.
Test du CISM Attention, les questions, comme l'examen, ne sont disponibles qu'en anglais. 1. Which of the following would BEST ensure the success of information security governance within an organization?
More informationAnatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow
Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned
More informationImplementing an Incident Response Team (IRT)
1.0 Questions about this Document CSIRT 2362 Kanegis Dr Waldorf, MD 20603 Tel: 1-301-275-4433 - USA 24x7 Incident Response: Martinez@csirt.org Text Message: Text@csirt.org Implementing an Incident Response
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationInformation Technology General Controls And Best Practices
Paul M. Perry, FHFMA, CITP, CPA Alabama CyberNow Conference April 5, 2016 Information Technology General Controls And Best Practices 1. IT General Controls - Why? 2. IT General Control Objectives 3. Documentation
More informationPreparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS
Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE
More informationPanel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices
Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers
More informationIncident Response 101: You ve been hacked, now what?
Incident Response 101: You ve been hacked, now what? Gary Perkins, MBA, CISSP Chief Information Security Officer (CISO) Information Security Branch Government of British Columbia Agenda: threat landscape
More informationThreat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437. Specialist Security Training Catalogue
Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437 Specialist Security Training Catalogue Did you know that the faster you detect a security breach, the lesser the impact to the organisation?
More informationDUUS Information Technology (IT) Incident Management Standard
DUUS Information Technology (IT) Incident Management Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-E 1.0 Purpose and Objectives Computer systems
More informationPCI DSS Top 10 Reports March 2011
PCI DSS Top 10 Reports March 2011 The Payment Card Industry Data Security Standard (PCI DSS) Requirements 6, 10 and 11 can be the most costly and resource intensive to meet as they require log management,
More informationData Breach Strikes - Nerds & Geeks Unite: Effective Cooperation Between Privacy and Technical Experts Presented by: Paul H. Luehr, Managing Dir.
Data Breach Strikes - Nerds & Geeks Unite: Effective Cooperation Between Privacy and Technical Experts Presented by: Paul H. Luehr, Managing Dir. Stroz Friedberg Gerard M. Stegmaier, Esq. Wilson Sonsini
More informationTOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series
TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationFeedback Ferret. Security Incident Response Plan
Feedback Ferret Security Incident Response Plan Document Reference Feedback Ferret Security Incident Response Plan Version 3.0 Date Created June 2013 Effective From 20 June 2013 Issued By Feedback Ferret
More informatione-discovery Forensics Incident Response
e-discovery Forensics Incident Response NetSecurity Corporation 21351 Gentry Drive Suite 230 Dulles, VA 20166 VA DCJS # 11-5605 Phone: 703.444.9009 Toll Free: 1.866.664.6986 Web: www.netsecurity.com Email:
More informationAnatomy of a Cloud Computing Data Breach
Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations
More informationBest Practices: Reducing the Risks of Corporate Account Takeovers
Best Practices: Reducing the Risks of Corporate Account Takeovers California Department of Financial Institutions September 2012 INTRODUCTION A state led cooperative effort, including the United States
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationComputer Security Incident Reporting and Response Policy
SECTION: 3.8 SUBJECT: Computer Security Incident Reporting and Response Policy AUTHORITY: Executive Director; Chapter 282.318, Florida Statutes - Security of Data and Information Technology Resources;
More informationWho Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015
Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence AIBA Quarterly Meeting September 10, 2015 The Answer 2 Everyone The relationship between the board, C-suite, IT, and compliance leaders
More informationDBC 999 Incident Reporting Procedure
DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible
More informationA Database Security Management White Paper: Securing the Information Business Relies On. November 2004
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationDiscussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The
More informationUBC Incident Response Plan
UBC Incident Response Plan Contents 1. Rationale... 1 2. Objective... 1 3. Application... 1 4. Definitions... 1 4.1 Types of Incidents... 1 4.2 Incident Severity... 2 4.3 Information Security Unit... 2
More informationComputer Security Incident Response Team
Computer Security Incident Response Team Operational Standards The University of Scranton Information Security Office August 2014 Table of Contents 1.0 Operational Standards Document Overview... 3 2.0
More informationdefending against advanced persistent threats: strategies for a new era of attacks agility made possible
defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been
More informationINFORMATION SECURITY INCIDENT MANAGEMENT PROCESS
INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS Effective Date June 9, 2014 INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS OF THE HELLER SCHOOL FOR SOCIAL POLICY AND MANAGEMENT Table of Contents 1.
More informationSecurity Policy for External Customers
1 Purpose Security Policy for This security policy outlines the requirements for external agencies to gain access to the City of Fort Worth radio system. It also specifies the equipment, configuration
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationBoston University Security Awareness. What you need to know to keep information safe and secure
What you need to know to keep information safe and secure Introduction Welcome to Boston University s Security Awareness training. Depending on your reading speed, this presentation will take approximately
More informationCyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services
Cyber Risk Mitigation via Security Monitoring Enhanced by Managed Services Focus: Up to But Not Including Corporate and 3 rd Party Networks Level 4 Corporate and 3 rd Party/Vendor/Contractor/Maintenance
More informationCisco Advanced Malware Protection for Endpoints
Data Sheet Cisco Advanced Malware Protection for Endpoints Product Overview With today s sophisticated malware, you have to protect endpoints before, during, and after attacks. Cisco Advanced Malware Protection
More information16) INFORMATION SECURITY INCIDENT MANAGEMENT
Ing. Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security CHFI: Computer Hacking Forensic Investigator CISA CEH: Certified Ethical Hacker ondrej@sevecek.com www.sevecek.com 16) INFORMATION
More informationCYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS
CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become
More informationHow To Secure An Extended Enterprise
Data Security Initiatives The Layered Approach Melissa Perisce Regional Director, Global Services, South Asia April 25, 2010 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Intel Case Study Asia North
More informationExecutive Overview...4. Importance to Citizens, Businesses and Government...5. Emergency Management and Preparedness...6
Securing the State Of Michigan Information Technology Resources Table of Contents Executive Overview...4 Importance to Citizens, Businesses and Government...5 Emergency Management and Preparedness...6
More informationFROM INBOX TO ACTION EMAIL AND THREAT INTELLIGENCE:
WHITE PAPER EMAIL AND THREAT INTELLIGENCE: FROM INBOX TO ACTION There is danger in your email box. You know it, and so does everyone else. The term phishing is now part of our daily lexicon, and even if
More informationAudit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland
Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of
More informationU.S. SECURITIES & EXCHANGE COMMISSION
PBX and Analog Lines Security Assessment U.S. SECURITIES & EXCHANGE COMMISSION March 31, 2000 Prepared by Deloitte & Touche LLP Enterprise Risk Services - 1 - 1 Executive Summary 1.1 Overview Deloitte
More informationSTATE OF ARIZONA Department of Revenue
STATE OF ARIZONA Department of Revenue Douglas A. Ducey Governor September 25, 2015 David Raber Director Debra K. Davenport, CPA Auditor General Office of the Auditor General 2910 North 44 th Street, Suite
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationPractice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited
Practice Good Enterprise Security Management Presented by Laurence CHAN, MTR Corporation Limited About Me Manager Information Security o o o o Policy formulation and governance Incident response Incident
More informationState of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop Small Agency Threat and Vulnerability Management Policy May 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationBest Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP
Best Practices in Incident Response SF ISACA April 1 st 2009 Kieran Norton, Senior Manager Deloitte & Touch LLP Current Landscape What Large scale breaches and losses involving credit card data and PII
More informationIncident Response. Proactive Incident Management. Sean Curran Director
Incident Response Proactive Incident Management Sean Curran Director Agenda Incident Response Overview 3 Drivers for Incident Response 5 Incident Response Approach 11 Proactive Incident Response 17 2 2013
More informationProtecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!
We protect your most sensitive information from insider threats. Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes! VARONIS SYSTEMS About Me Dietrich
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More information