INCIDENT RESPONSE CHECKLIST



Similar documents
Client Security Risk Assessment Questionnaire

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

University of Pittsburgh Security Assessment Questionnaire (v1.5)

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Critical Controls for Cyber Security.

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

Attachment A. Identification of Risks/Cybersecurity Governance

Supplier Information Security Addendum for GE Restricted Data

The Protection Mission a constant endeavor

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Vendor Audit Questionnaire

Standard: Information Security Incident Management

Cisco Advanced Services for Network Security

Global Partner Management Notice

H.I.P.A.A. Compliance Made Easy Products and Services

Network/Cyber Security

IT Security Standard: Computing Devices

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

LogRhythm and PCI Compliance

External Supplier Control Requirements

Payment Card Industry Data Security Standard

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

HIPAA Security Alert

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

2012 Risk Assessment Workshop

74% 96 Action Items. Compliance

Ovation Security Center Data Sheet

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

plantemoran.com What School Personnel Administrators Need to know

Music Recording Studio Security Program Security Assessment Version 1.1

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Automate PCI Compliance Monitoring, Investigation & Reporting

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Policies and Procedures

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Network Security Policy

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Supplier Security Assessment Questionnaire

KEY STEPS FOLLOWING A DATA BREACH

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Payment Card Industry Self-Assessment Questionnaire

SANS Top 20 Critical Controls for Effective Cyber Defense

OCIE CYBERSECURITY INITIATIVE

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

FISMA / NIST REVISION 3 COMPLIANCE

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Network Security: A Practical Approach. Jan L. Harrington

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

PRINCIPLES AND PRACTICE OF INFORMATION SECURITY

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Session 334 Incident Management. Jeff Roth, CISA, CGEIT, CISSP

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Data Security Incident Response Plan. [Insert Organization Name]

Security Management. Keeping the IT Security Administrator Busy

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Network Security Policy

HIPAA RISK ASSESSMENT

PCI Requirements Coverage Summary Table

Security from a customer s perspective. Halogen s approach to security

Vendor Risk Assessment Questionnaire

GFI White Paper PCI-DSS compliance and GFI Software products

STATE OF NEW JERSEY Security Controls Assessment Checklist

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

Guideline on Auditing and Log Management

Security Policy for External Customers

Did you know your security solution can help with PCI compliance too?

PCI Compliance for Cloud Applications

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Use of The Information Services Active Directory Service (AD) Code of Practice

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Section 12 MUST BE COMPLETED BY: 4/22

GE Measurement & Control. Cyber Security for NEI 08-09

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Operationalizing Information Security: Top 10 SIEM Implementer s Checklist

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Network and Security Controls

Remote Services. Managing Open Systems with Remote Services

Department of Information Technology Active Directory Audit Final Report. August promoting efficient & effective local government

Miami University. Payment Card Data Security Policy

Network Security Administrator

The Cloud App Visibility Blindspot

Chapter 1 The Principles of Auditing 1

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

External Supplier Control Requirements

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

Transcription:

INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged to use these questions to: 1. Gather initial information for use by Kivu Consulting, Inc. s experts during the subsequent investigation; 2. Identify the key stake-holders within the client organization and determine the specific roles for which they are responsible; 3. Commence the gathering and preservation of evidence. This checklist is not exhaustive and should be tailored for the specific elements of the client s environment, using input from Kivu Consulting, Inc. This checklist is designed for informational purposes only and is not intended to be legal advice. No portion of this document may be reproduced, reused or otherwise distributed in any form without prior written consent of Kivu Consulting, Inc. KIVU CONSULTING, Inc. 44 Montgomery Street, Suite 700 San Francisco, CA 94104 Tel: (415) 524-7320 Fax: (415) 524-7325 www.kivuconsulting.com Copyright Kivu Consulting, Inc., 2010-2012. All rights reserved. 1

Kivu Incident Response Questionnaire 1. Investigate Incident Scope and Impact Questions/requests to be addressed to IT/ HR/ Legal point-person(s). 1. What has been observed that lead to contacting Kivu Consulting? o Missing/ stolen computer o Internal finding of possible data breach o External report of possible data breach o Whistle-blower/ rumor 2. How were any problems or issues first detected? o IT IDS/ audit o External audit o Third party 3. When was the incident detected and by whom? (Build a timeline of events and list individuals involved.) Copyright Kivu Consulting, Inc., 2010-2012. All rights reserved. 2

4. Who is aware of the incident within organization? o Senior management o Legal o IT o HR o Security 5. Which outside organization(s) are aware of incident? o Outside counsel o Third-party vendor o Law enforcement o Regulators o PR firm 6. Are there any requirements limiting the work to be performed by specific citizenship? 7. Which data sources were targeted and/ or affected by the incident? o Patient/ customer data o Employee data Copyright Kivu Consulting, Inc., 2010-2012. All rights reserved. 3

8. What other recent security incidents occurred in the affected environment or organization? o Theft/ break-in o Employee misconduct o Issues with logs o Virus/malware/root kit detected 9. Is there any history of similar situations or patterns? If so, what? a. What changes were made to the affected systems or security controls? 10. Who is the primary incident response coordinator? Backup coordinator? 11. Who is authorized to make business decisions about affected operations and IT infrastructure? a. Who is the ultimate decision-maker for this incident? 12. What are the leading hypotheses for how the initial compromise transpired? 13. Are you aware of any compliance or legal obligations associated with this incident (e.g., PCI, HIPAA, breach notification laws, etc.)? a. Which stakeholders are responsible for in-house compliance, privacy or legal issues? 14. Where is evidence being preserved? Copyright Kivu Consulting, Inc., 2010-2012. All rights reserved. 4

15. What is the current phase of the incident? (Select all that apply.) o Identification o Containment o Eradication o Recovery 16. Does the incident involve an outsourced party? o Business partner o Outsourced services o Alliances Copyright Kivu Consulting, Inc., 2010-2012. All rights reserved. 5

2. Preliminary Review of Incident by Organization Questions/requests to be addressed to IT/ HR/ Legal point-person(s). 1. Who within the organization has been tasked with preserving evidence? (This includes affected workstations, hard drives, network logs, network backups, CCTV video, physical access logs, and cell phones.) 2. What evaluations were completed to define the scope and impact of the incident? o IT o HR/ Legal o Security 3. What steps were taken to contain and mitigate the incident? (This includes, but is not limited to, retaining suspect computers, changing passwords, turning off remote access, acquiring log files, disconnecting infected systems from network, suspending employee access or group privileges.) 4. What tools were deployed or system commands executed within the affected environment and on affected systems as part of the initial investigation? Is there supporting documentation? 5. What logs were reviewed? If reviewed, what were the suspicious entries? What other unusual event or state information exists? 6. What notifications were sent by the infrastructure systems? (This may include unusual login access, exceeding monetary thresholds, file download alerts, intrusion detection, anti-virus, etc.) Who received notifications? 7. Are there unanswered questions about the incident or conflicting information? 8. What other analysis may be required? 9. Is law enforcement involved? Is there a search warrant/ subpoena? Copyright Kivu Consulting, Inc., 2010-2012. All rights reserved. 6

3. Technical Assessment to Determine Scope and Impact Questions/requests to be addressed to IT/IS point-person(s). A. Infrastructure 1. Which persons within the organization can identify how the IT network functions? Specifically: o Firewalls, DMZ, Gateways, Access points o Network domains, Proxy, Domain controllers o Remote access and VPN o Intrusion Detection (ID) systems, Intrusion Prevention (IP) systems, SIEM o Anti-virus/ malware defenses (internal and on perimeter) o Network quarantine systems o Data storage o E-mail systems o ERP systems and any proprietary or specialty applications o Data leakage protection (DLP) 2. Is there a diagram or illustration of the affected network s topology and system architecture? Is there supporting documentation? 3. What are the physical locations of all affected IT infrastructure? (There may be multiple individuals and locations involved. Employee home-offices and personal computers may also be involved.) 4. Is any of the organization s IT infrastructure hosted by third-parties? (Create a list.) 5. What are the network restrictions for employee-users and other parties who had access? Copyright Kivu Consulting, Inc., 2010-2012. All rights reserved. 7

6. What asset management and discovery tools are in use? 7. Is there an IT asset inventory report for all infrastructure components related to the incident? (If none in use, is there a current inventory of IT assets related to the incident? The report should contain hard and software information such as MAC Address and OS, network identification information such as host name and network address, and other system details.) 8. Identify where key employees in IT, HR, Legal and Security will be during the next 7-14 days. (User activity may need monitoring.) 9. Task IT with identifying (and providing to Kivu Consulting, Inc.) names/ details concerning: o Internet or hosted service providers o Internal IP ranges and external facing IP ranges o Naming conventions for organization s networked computers/ servers B. Logging 1. What logs currently exist for the IT infrastructure? Which logs are currently running and active? Have any logging activity started after the event? Logging can include: a. Network i. Firewall ii. iii. iv. Routers Wireless Access Points Domain Controller v. Anti-Virus updates and issues Copyright Kivu Consulting, Inc., 2010-2012. All rights reserved. 8

a. Network (continued) vi. ID and/or IP systems (IDPS) vii. Vulnerability management viii. Network quarantine servers ix. Network appliances x. File Servers (e.g. internal access of data) xi. Backups xii. Remote access to network xiii. Internet Access / Database xiv. Web proxies xv. Printers b. Physical i. Automated building entry/ exit systems ii. iii. iv. Sign-in sheets Video surveillance Lists of key assignments or room access 2. What is the retention policy for security logs? 3. Are logs backed up or overwritten? If so, what frequency? Copyright Kivu Consulting, Inc., 2010-2012. All rights reserved. 9

C. Security 1. When was the last security or vulnerability assessment conducted? If so, is there documentation available? 2. What security, IDS/IPS, vulnerability or network quarantine infrastructure components exist in the affected IT infrastructure? (This includes firewall hardware and software, user authentication systems, IDS/IPS systems, etc.) 3. Is there a network diagram or documentation that defines security component topology and architecture? (This includes perimeter security, DMZ, network address, virtual local area network, tunneling, etc.) 4. Are affected system established from standard builds (or images) that allow analysis and/ or re-building affected systems? 5. IT should begin an inventory of IT assets if not established: o Operating System versions and service patches of networked computers (servers and workstations) o Asset list (e.g. which employees have been assigned which computers) o Permissions of individuals/ group memberships o IT/ HR should put together all local and network policies, and proof they have been issued to employees and third parties/ consultants 6. Are IDS/IPS systems network and /or host-based? a. What kind? Version? b. Passive or Reactive? c. Are updates automatic or manual? 7. Are anti-virus systems network and/ or host-based? a. What kind? Version? Copyright Kivu Consulting, Inc., 2010-2012. All rights reserved. 10

b. Definition updating policies? c. Are updates automatic or manual? 8. What are password policies/ employee account audits? IT/ HR should begin compiling documentation showing organization s password policies and any employee audits. Review HR policies for employee computer and electronic device use. 9. Wireless Access Point Security type including authentication, encryption, etc.? 10. What e-mail systems and application are used by organization? What is the configuration? What is the security policy for email? Is there remote access? (This includes attachments scanned, dumpster set for deleted email recovery, and archived retention of all email.) 11. What file servers are in use? a. Type? b. Share permissions? c. File System? d. Achieved/Backed up? 12. Guest and remote access? 13. Who within IT is responsible for backup policies, continuity, and disaster recovery? Have they been informed of incident? Copyright Kivu Consulting, Inc., 2010-2012. All rights reserved. 11

4. Incident Response Next Steps and Remediation Questions/requests to be addressed to IT/ HR/ Legal point-person(s). 1. Are there an incident response plans, instructions or guidelines for the affected group(s)? 2. Which members of IT have been trained in incident response and/ or computer forensics? What was the training? 3. Which system or network components cannot go off-line without critical impact on business continuity? 4 What tools are available for Kivu Consulting s use to assess network and/ or hostbased activity? 5. For purposes of analysis, what data can be removed from the organization/ third-party hosting for review at Kivu Consulting s computer labs? What safeguards (e.g., encryption) are required by the organization? 6. What backup-restore capabilities are available to recover from the incident? 7. If retained, who will Kivu Consultants be reporting to within the organization? o Senior Management o HR o Legal o IT o Security Copyright Kivu Consulting, Inc., 2010-2012. All rights reserved. 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information