chapter 12 ppt
srinivasareddy
Chapter1211.pptxSecurity Policies and Implementation Issues
Chapter 12
Incident Response Team (IRT) Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Describe the different information security systems (ISS) policies associated with incident response teams (IRTs).
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
2
Key Concepts
Incident response policies
Team members associated with incident response
Emergency services related to IRTs
Policies specific to incident response support services
Policies associated with handling the media and what to disclose
Business impact analysis (BIA) policies
Business continuity plan (BCP) policies
Disaster recovery plan (DRP) policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
3
Incident Response Team (IRT)
Cross-functional team
Organized and coordinated
Various skills
Usually only responds to major incidents
Minor incidents considered part of normal operations
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
4
Definition of an Incident
Any event that violates security policy
Unauthorized access to data
Unauthorized modification of data
Disruption of service
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
5
Classifying Breach by Attack Vector
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Attack Vectors
SQL injection
Malicious code or malware
Insecure remote access
Insecure wireless
Improperly segmented network environment
Classifying an Incident
Develop a classification system
Varies by industry type
Should meet legal and regulatory obligations
Common approach is to use categories that assess threat level
Malicious code
Denial of Service
Unauthorized access
Inappropriate usage
Major vs. minor
Major incidents are significant
Determination based on risk to organization
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
7
Forming an Incident Response Team
Develop a charter
Determine IRT Model
Set goals (e.g., response time)
Identify Team Members
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Team Members
Information Technology
Information Security
Human Resources
Legal
Public Relations
Business Continuity
Data Owner
Management
7/17/2014
8
Organizational Structure
Roles & Responsibilities
Information Flow
Authority & Reporting
Goals
Team responsibilities
Incident Declaration
Definitions
Declaration process
Team alignment
Member management
For team members
Communications
How goals are achieved
Level of authority
Source of authority
Summary
Mission Statement
Methods
Charter Sections
IRT Models
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
9
On-Site Response
Supporting Role
Coordination
Coordinates several local teams
Full authority to contain breach
Technical assistance to local team
Roles and Responsibilities
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
IRT Manager
This individual makes all the final calls on how to respond to an incident, they are the interface with management
IRT Coordinator
They act as the official scribe of the team. All activity flows through this person who maintains the official records of the team
Users
May have supporting role in IRT as data owner representatives
System Administrators
The subject matter experts (SMEs) chosen for each incident response effort will vary depending upon the type of incident and affected system(s)
Information Security Personnel
These team members may also have specialized forensic skills needed to collect and analyze evidence
Management
Ultimately, management is held accountable for the outcome of the incident response effort May have supporting role in IRT as data owner representatives
7/17/2014
10
Incident Response Support Services
This is a broad category to mean any team that supports the organization’s IT and business processes
Example: The help desk is a support services team
During an incident, the help desk may be in direct contact with the customer who is impacted by the attack
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
This is a broad category to mean any team that supports the organization’s information technology (IT) and business processes
The helpdesk for example would be a support services team
During an incident, the helpdesk may be in direct contact with the customer who is impacted by the attack
The helpdesk, at that point, becomes a channel of information on the incident
It’s vital that the helpdesk during an incident is providing a script of key talking points about the incident
7/17/2014
11
Incident Response Support Services (Continued)
The help desk, at that point, becomes a channel of information on the incident
It’s vital that the helpdesk during an incident is providing a script of key talking points about the incident
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Incident Response Process
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
13
Plan and Train
Discover and Report Incident
Contain
Clean Up
Analyze and Prevent
Report
BIA Policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifies assets required for business to recover and continue doing business
BIA may be based on multiple worst-case scenarios
Key assets include critical resources, systems, facilities, personnel, and records
BIA should contain security breach scenarios
BIA Policies (Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifies recovery times
Used for information security and non–information security purposes
Identifies adverse effects on the organization
Identifies key components
Key Objectives of the Business Impact Analysis (BIA) Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identify resources required to recover each component
Identify human assets needed to recover these components
Identify dependencies, such as other BIA components
Business Continuity Planning Policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Creates a road map for continuing business operations after a major outage or disruption of services
Establishes the requirement to create and maintain the plan
Provides guidance for building a plan
Includes key assumptions, accountability, and frequency of testing
Business Continuity Planning Policies (Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Must clearly define responsibilities for creating and maintaining a BCP plan
Identifies responsibilities for its execution
Covers the business’s support structure
BIA, BCP, and DRP
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
BIA
Drives the requirements for the BCP
BCP
Drives requirements for the DRP
DRP
Policies needed to recover IT assets after a major outage
Best Practices in Incident Response
Effectiveness of the IRT and its related policies needs to be measured
Measurement should be published annually with a comparison to prior years
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Best Practices in Incident Response (Continued)
Measurements should include the goals in the IRT charter, plus additional analytics to indicate the reduction of risk to the organization, such as:
Number of incidents
Number of repeat incidents
Time to contain per incident
Financial impact to the organization
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Incident classifications
Roles and responsibilities associated with incident response team policies
Incident support services
Best practices to create an incident response team policies
BIA, BCP, and DRP policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
22
