Scribd Logo
Upload

Welcome to Scribd!

  • Craft Your Incident Response Plan (Before It's Too Late)

    Uploaded by

    Co3Sys
    38 views22 pages
    Cyber incidents have become a fact of life. They often fall into one or more common scenarios – malicious cyber attacks, lost-stolen assets, third party leaks, or internal/employee error. In any case, the regulations apply no matter the source. This reality, combined with the rate of incidents prompted the National Institute of Standards and Technology (NIST) to recently state, “cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive,” as part of its new guidelines for incident response. NIST's Federal Information Security Management Act goes on to say that organizations must “create, provision, and operate a formal incident response program.” This webinar will show you how. Specifically it will demonstrate the steps involved, including: what team members you'll need, how to recruit them, what data you'll need to collect, how to put together a communication plan, and more. Our featured speaker for this timely webinar is Ellen Giblin, Privacy Counsel at Ashcroft Law Group. Ellen is an internationally-recognized expert in privacy, data breach, data protection, cyber security, and information management.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cyber incidents have become a fact of life. They often fall into one or more common scenarios – malicious cyber attacks, lost-stolen assets, third party leaks, or internal/employee error. In any case, the regulations apply no matter the source. This reality, combined with the rate of incidents prompted the National Institute of Standards and Technology (NIST) to recently state, “cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive,” as part of its new guidelines for incident response. NIST's Federal Information Security Management Act goes on to say that organizations must “create, provision, and operate a formal incident response program.” This webinar will show you how. Specifically it will demonstrate the steps involved, including: what team members you'll need, how to recruit them, what data you'll need to collect, how to put together a communication plan, and more. Our featured speaker for this timely webinar is Ellen Giblin, Privacy Counsel at Ashcroft Law Group. Ellen is an internationally-recognized expert in privacy, data breach, data protection, cyber security, and information management.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    38 views22 pages

    Craft Your Incident Response Plan (Before It's Too Late)

    Uploaded by

    Co3Sys
    Cyber incidents have become a fact of life. They often fall into one or more common scenarios – malicious cyber attacks, lost-stolen assets, third party leaks, or internal/employee error. In any case, the regulations apply no matter the source. This reality, combined with the rate of incidents prompted the National Institute of Standards and Technology (NIST) to recently state, “cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive,” as part of its new guidelines for incident response. NIST's Federal Information Security Management Act goes on to say that organizations must “create, provision, and operate a formal incident response program.” This webinar will show you how. Specifically it will demonstrate the steps involved, including: what team members you'll need, how to recruit them, what data you'll need to collect, how to put together a communication plan, and more. Our featured speaker for this timely webinar is Ellen Giblin, Privacy Counsel at Ashcroft Law Group. Ellen is an internationally-recognized expert in privacy, data breach, data protection, cyber security, and information management.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 22

    Cyber Incident Response

    2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential.

    Page 1

    Agenda
    Introductions Cyber Incident Response The process Tips for getting it right Todays reality with breaches CSO versus CPO Q&A

    Page 2

    Introductions: Todays Speakers


    Gant Redmon, GC and VP Business Development, Co3
    Former CPO of Arbor Networks, Inc. General Counsel for 12 years

    Ellen Giblin, Privacy Counsel, Ashcroft Law Firm


    Internationally-recognized expert in privacy, data breach, data protection, cyber security, and information management Privacy Counsel at Littler Mendelson P.C. Privacy Officer for Citizens Financial Group

    Page 3

    CYBER INCIDENT RESPONSE PLANS


    Page 4

    Cyber Incident Response Plans


    Every company should develop a written cyber incident response plan Not only is it a good idea, some regulations require it The plan should document cyber attack scenarios and define appropriate responses The plan should include: Response team Reporting Initial response Investigation Recovery and follow-up Public relations Law enforcement

    Page 5

    Cyber Incident Response Team


    The response team should: Identify and classify cyber attack scenarios Determine the tools and technology used to detect attacks Develop a checklist for handling initial investigations of cyber attacks Determine the scope of an internal investigation once an attack has occurred Conduct any investigations within the determined scope Address data breach issues, including notification requirements Conduct follow up reviews on the effectiveness of the company's response to an actual attack

    Page 6

    Discovery and Reporting of Cyber Incidents


    Define procedures for cyber attack discovery and reporting, including: Team members who monitor industry practices to ensure that: information systems are appropriately updated; and information systems are instrumented to allow for early discovery of attacks A database to track all reported incidents A risk rating to classify all reported incidents (ex. low, medium, or high) and facilitate the appropriate response

    Page 7

    Initial Response to a Cyber Attack


    Conduct a preliminary investigation to determine whether a cyber attack has occurred follow the investigation checklist set out in the cyber incident response plan The initial response varies depending on the type of attack and level of seriousness. However, the response team should aim to: Stop the cyber intrusions from spreading further into the company's computer systems Appropriately document the investigation

    Page 8

    Investigating a Cyber Attack


    A formal internal investigation may be required depending on: the level of intrusion its impact on critical business functions An internal investigation allows the company to: Fully understand the intrusion Fotn its chances of identifying the attacker Detect previously-unknown security vulnerabilities Identify required improvements to IT systems If the company's response team or IT department lacks the capacity or expertise to conduct an internal investigation the company may wish to retain: Legal counsel A cyber security consultant

    Page 9

    Common Cyber Attack Scenarios


    Cyber attacks often fall into one or more common scenarios Anticipate and prepare for these common scenarios in advance and provide preliminary investigatory questions for each Obtaining fast and accurate answers to these questions helps shape and expedite the investigation

    Page 10

    Recovery and Follow-Up After a Cyber Attack


    Address the recovery of IT systems by both: Eliminating the vulnerabilities exploited by the attacker and any other identified vulnerabilities Bringing the repaired systems back online Once systems are restored: Determine what improvements are needed to prevent similar incidents from reoccurring Evaluate how the response team executed the response plan

    Page 11

    The Role of the CPO in a Breach


    Understand the efforts underway by security staff to plug the gaps and restore integrity Realize that there may be a conflict of interest Know how to align and satisfy all our organizations requirements

    Page 12

    Suggestions
    Working with Security in advance is vital, knowing where the tensions are, and what youll do to resolve them is key to success Early triage is critical to determining if PI has been exposed Establish Executive support in advance of a breach for anything that may look contentious Have a clear process that coordinates activities across multiple groups to ensure an efficient organizational response Conduct dry runs, simulations or tabletops it will illuminate where there are potential issues make sure to test out multiple scenarios

    Page 13

    Security and Privacy the Yin and the Yang Cyber Incidents
    Cyber breach DDoS Malware, etc.

    PII Exposed

    CISO-Driven Response

    CPO-Driven Response Combined Response

    IT/Security: protect the integrity and continuity of business operations Privacy: protect customers and employees

    aligning objectives
    Page 14

    5 Rules for Working With Your CSO Rule #1: Know Your History
    The modern day CSO has been around about the same amount of time as the CPO The CPO title came about in the mid to late 90s with the advent of GLB and HIPAA The CSO title (as opposed to the CiSO title) arose after 9/11 with the increased focus on security The CPO role weakened following 9/11 but has strengthened as personal information becomes basis of corporate value

    Page 15

    5 Rules for Working With Your CSO Rule #2 Accept Your Co-Dependence
    Privacy and Security are intertwined. You can have security without privacy, but you cant have privacy without security You can promise not to share information, but that doesnt do much good if any hacker can just steal it Theres no responding to a data breach if you dont know about it or you cant identify what information has been accessed IT is generally the real first responder. They are the ER triage of data breach response

    Page 16

    5 Rules for Working With Your CSO


    Rule #3 Empathize with Your CSO
    CSOs stockpile data. CPOs are minimalist. Show your CSO the advantages of cleaning house
    Data retention policy compliance eDiscovery advantages Less exposure if a breach occurs if there is less sensitive data available

    Follow the Data


    The CSO knows the flow of data within the organization. You need to work with CSO to understand this flow and do your job Once you understand the flow of data, you can compare it to the business process that drives that flow With an understanding the flow of data and the business process, you can make suggestions that take into consideration the value proposition of the use of customer data Many companies see the role of CPO as driving internal process improvement

    Privacy can be an unnatural act for the CSO


    The CSO is charged with protecting the perimeter The CPO may be asking the CSO for holes below the waterline in the perimeter for purposes of information owner inspection and verification
    Page 17

    5 Rules for Working With Your CSO


    Rule #4 Stop Talking Privacy
    Privacy is a loaded word. Its like saying conservative or liberal. Use a word your CSO and others can rally around. Call it Information Governance
    Information governance encompasses information management, security, use, and data strategy Information governance can refer to a lifecycle: how we create information, how we keep it safe and secure and accessible during its lifecycle, and how we thoughtfully dispose of it

    Information governance rings true with the legal department


    Can refer to data retention and eDiscovery Positions you as a bridge between the GC and CSO GCs didnt go to law school because of their engineering prowess. Give them a hand
    Page 18

    5 Rules for Working With Your CSO


    Rule #5 Keep Your Head Out of the Boat
    A CSOs role is largely inward looking. They must protect corporate assets and keep the system running The CPOs role is outward facing because they act as the customers' and employees' advocate within the company Customer/Client advocacy translates to corporate revenue. Ask yourself what other department uses this argument to drive change within your organization The CPO must be business savvy and navigate conflicting interests of business needs, customer expectation and legal requirements If the CPO can prove him or herself to be an ally with management in the balancing of concerns, then that CPO will be embraced by those above If the CPO is embraced by the management team, the CPO is more likely to be have a good working relationship with the CSO

    Page 19

    5 Rules for Working With Your CSO


    Bonus Rule #6 Embrace Technology to Improve Processes and Efficiency CSOs make their career out of using software to improve process conversations will go well if you speak their language CSOs can use software as breach triage as well as for escalating events to the CPO Using software to diagnose an event makes the outcome and action plan both objective and quantifiable. These are traits valued by both the GC and CSO Build a dashboard. CSOs love them as a way to stay in the loop and remain part of an incident response

    Page 20

    Questions

    2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential.

    Page 21

    Thanks!

    1 Alewife Center, Suite 450 Cambridge, MA 02140 ph: 617.206.3900 e: info@co3sys.com www.co3sys.com

    1100 Main Street, Suite 2710 Kansas City, MO 64105 ph: 816.285.7600 e: info@ashcroftlawfirm.com www.ashcroftgroupllc.com/law/

    Gartner: Co3 define(s) what software packages for privacy look like.

    Page 22

    You might also like