1JBW Group Inc. – Information Security Consulting © 2005
Incident Response:Incident Response:A StandardsA Standards--Based Based
ApproachApproach
Project Management InstituteProject Management InstituteMinnesota Chapter Minnesota Chapter
John B. Weaver John B. Weaver -- JBW Group IncJBW Group IncInformation Security ConsultingInformation Security Consulting
February 17, 2005February 17, 2005
2JBW Group Inc. – Information Security Consulting © 2005
““Immature strategy is Immature strategy is the cause of grief.the cause of grief.””-- Miyamoto Miyamoto MusashiMusashi (1584(1584--1645)1645)
3JBW Group Inc. – Information Security Consulting © 2005
Incident ResponseIncident Response
AgendaAgenda•• BackgroundBackground•• Information SecurityInformation Security•• Business EnvironmentBusiness Environment•• A StandardsA Standards--based Approachbased Approach•• Incident ResponseIncident Response•• Project Management of Incident ResponseProject Management of Incident Response•• ProactiveProactive•• ReactiveReactive•• ReferencesReferences
4JBW Group Inc. – Information Security Consulting © 2005
BackgroundBackground
•• Over 15 Years Experience in Information Over 15 Years Experience in Information SecuritySecurity•• JBW Group Inc JBW Group Inc –– International Information International Information Security ConsultancySecurity Consultancy•• Worked with Clients in Healthcare, Financial, Worked with Clients in Healthcare, Financial, Telecommunications, Energy verticalsTelecommunications, Energy verticals•• BS7799/ISO17799 EvangelistBS7799/ISO17799 Evangelist•• BSIBSI--Qualified BS7799 Audit and ImplementationQualified BS7799 Audit and Implementation•• InfraGardInfraGard Executive BoardExecutive Board•• ISCISC22, ISACA, ASIS, ISSA, IISFA, ISACA, ASIS, ISSA, IISFA
5JBW Group Inc. – Information Security Consulting © 2005
Information SecurityInformation Security
“Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected”
BS ISO/IEC 17799:2000
6JBW Group Inc. – Information Security Consulting © 2005
Information SecurityInformation Security
Information Assets
Integrity
Confidentiality Availability
7JBW Group Inc. – Information Security Consulting © 2005
Business EnvironmentBusiness Environment•• Internet connectivity is necessary to Internet connectivity is necessary to compete in the marketplace compete in the marketplace •• InternetInternet--connected businesses and connected businesses and government agenciesgovernment agencies•• Expanded infrastructure Expanded infrastructure •• Vendor partners and regulatory Vendor partners and regulatory organizations are requiring internet organizations are requiring internet connectivity connectivity •• Outsourcing of critical functionsOutsourcing of critical functions•• OffOff--shore developmentshore development
8JBW Group Inc. – Information Security Consulting © 2005
Business Environment Business Environment (continued)(continued)
•• SarbanesSarbanes--Oxley (SOX)Oxley (SOX)•• GrammGramm--LeachLeach--Bliley Act (GLBA)Bliley Act (GLBA)•• Health Insurance Portability and Health Insurance Portability and
Accountability Act (HIPAA)Accountability Act (HIPAA)•• California SB1386California SB1386•• New Basel Capital Accord (BaselNew Basel Capital Accord (Basel--II)II)•• Digital Millennium Copyright Act (DMCA)Digital Millennium Copyright Act (DMCA)•• Business Software Alliance (BSA)Business Software Alliance (BSA)•• IndustryIndustry--specific Requirementspecific Requirement
9JBW Group Inc. – Information Security Consulting © 2005
BS7799 ISO/IEC17799BS7799 ISO/IEC17799•• Internationally recognized Information Security Internationally recognized Information Security standardstandard•• Process driven, business orientedProcess driven, business oriented•• Measurable Measurable –– Valuation of assets and scaling of riskValuation of assets and scaling of risk•• Repeatable Repeatable –– Formal approach, structured processesFormal approach, structured processes•• Scalable Scalable –– Facilitates prototyping, adaptableFacilitates prototyping, adaptable•• Defensible Defensible –– Articulates level of assuranceArticulates level of assurance•• Recognizes information in all forms Recognizes information in all forms •• Meets requirements of HIPAA, GLBA (and others)Meets requirements of HIPAA, GLBA (and others)•• Requires governance (management buyRequires governance (management buy--in)in)•• Utilizes Utilizes ““best practicesbest practices””•• Promotes security awareness throughout organizationPromotes security awareness throughout organization•• Reflects Total Quality Management (continuous Reflects Total Quality Management (continuous improvement)improvement)
10JBW Group Inc. – Information Security Consulting © 2005
Incident TypesIncident Types
•• Natural DisasterNatural Disaster•• Physical Security Breach Physical Security Breach •• Viruses and WormsViruses and Worms•• TrojansTrojans•• Employee MisconductEmployee Misconduct•• Accidental or Inadvertent IncidentsAccidental or Inadvertent Incidents•• Labor and Trade Union ActionLabor and Trade Union Action•• Terrorism and CyberTerrorism and Cyber--Terrorism Terrorism
•• System or Network Security BreachSystem or Network Security Breach•• CGI ExploitsCGI Exploits•• Distributed Denial of ServicesDistributed Denial of Services•• HoaxesHoaxes•• Theft of Proprietary Data (IP)Theft of Proprietary Data (IP)•• Router CompromiseRouter Compromise•• System Compromise System Compromise
11JBW Group Inc. – Information Security Consulting © 2005
StandardsStandards--Based Incident ResponseBased Incident Response
BS7799/ISO17799 Components of Incident Response;BS7799/ISO17799 Components of Incident Response;•• Management Oversight (Governance)Management Oversight (Governance)•• Policy for Incident ResponsePolicy for Incident Response•• Documented Risk Assessment ProcessDocumented Risk Assessment Process•• Incident Response PlanningIncident Response Planning
•• Disaster RecoveryDisaster Recovery•• Business ContinuityBusiness Continuity•• Security IncidentsSecurity Incidents•• Employee AwarenessEmployee Awareness•• TrainingTraining
•• Quality Management/Continuous ImprovementQuality Management/Continuous Improvement
12JBW Group Inc. – Information Security Consulting © 2005
Risk ManagementRisk ManagementKey element of ISO17799 is the Key element of ISO17799 is the
Degree of Assurance determined by;Degree of Assurance determined by;
Level ofRisk
Risk TreatmentProcess
ResidualRisk
Risk AssessmentProcess
Output
Input
Output
Degree of Assurance
13JBW Group Inc. – Information Security Consulting © 2005
Incident ResponseIncident ResponseIncident Response Strategy is comprised of Incident Response Strategy is comprised of several process steps that comprise two several process steps that comprise two components;components;Proactive StrategyProactive Strategy
•• PlanningPlanning•• TestingTesting•• Monitoring and DetectionMonitoring and Detection
Reactive StrategyReactive Strategy•• AnalysisAnalysis•• IsolationIsolation•• ContainmentContainment•• InvestigationInvestigation•• MitigationMitigation•• After Action Analysis (TQM)After Action Analysis (TQM)
14JBW Group Inc. – Information Security Consulting © 2005
““Incident Response as Managed ProjectIncident Response as Managed Project””There are obvious project management components in There are obvious project management components in the proactive strategy;the proactive strategy;
•• Developing, deploying & testing Developing, deploying & testing •• Disaster response plansDisaster response plans•• Business continuity plansBusiness continuity plans•• Incident response plansIncident response plans
•• Continuous improvementContinuous improvementProject Management can play a vital role in the reactive Project Management can play a vital role in the reactive strategy;strategy;
•• CommunicationsCommunications•• LogisticsLogistics•• MetricsMetrics•• After action analysis and reportingAfter action analysis and reporting
15JBW Group Inc. – Information Security Consulting © 2005
Incident Response Project Management Incident Response Project Management (Continued)(Continued)
Proactive Plan Components;Proactive Plan Components;•• Senior Management CommitmentSenior Management Commitment•• Constituency is DefinedConstituency is Defined•• Risk Assessment/Impact AnalysisRisk Assessment/Impact Analysis•• Policy is Documented and EndorsedPolicy is Documented and Endorsed•• Incident Response Team MembershipIncident Response Team Membership•• Defined Roles and ResponsibilitiesDefined Roles and Responsibilities•• Well Documented Processes and ProceduresWell Documented Processes and Procedures•• Identified Measurement Points (Metrics)Identified Measurement Points (Metrics)•• Services are DefinedServices are Defined•• Linkages to Other Teams/Organizations are Linkages to Other Teams/Organizations are Established and MaintainedEstablished and Maintained
16JBW Group Inc. – Information Security Consulting © 2005
Incident Response TeamIncident Response Team
Incident Response Core Team membership is Incident Response Core Team membership is predefined and static. The roles for the core predefined and static. The roles for the core team are;team are;
•• ManagementManagement
•• Technical LeadTechnical Lead•• EngineeringEngineering•• LogisticsLogistics
Other team members are brought in and Other team members are brought in and ““deputizeddeputized”” on an as needed basis. on an as needed basis.
17JBW Group Inc. – Information Security Consulting © 2005
Avoiding Immature StrategyAvoiding Immature Strategy
The most important part is preparationThe most important part is preparation•• Adequate planning is critical to successAdequate planning is critical to success•• Anticipate as many logistical needs as Anticipate as many logistical needs as possiblepossible•• Regular testing of the plan is criticalRegular testing of the plan is critical•• Build in points in the plan for taking Build in points in the plan for taking measurement for developing metricsmeasurement for developing metrics•• Encourage management/sponsor review Encourage management/sponsor review (governance)(governance)•• Analyze for areas of improvementAnalyze for areas of improvement
18JBW Group Inc. – Information Security Consulting © 2005
Incident Response MetricsIncident Response Metrics
19JBW Group Inc. – Information Security Consulting © 2005
Reactive ResponseReactive Response
•• Analysis Analysis –– Systematic review of dataSystematic review of data•• Isolation Isolation –– separation from the environmentseparation from the environment•• Containment Containment –– Keep it isolatedKeep it isolated•• Investigation Investigation –– Cause and affectCause and affect•• Mitigation Mitigation –– Fix, diminish or otherwise dealFix, diminish or otherwise deal•• After Action Analysis (TQM) After Action Analysis (TQM) –– includes root includes root cause and recommended solutionscause and recommended solutions
20JBW Group Inc. – Information Security Consulting © 2005
PDCA Model Applied to ISMSPDCA Model Applied to ISMS
Interested Parties
Interested Parties
Development,maintenance and
improvementcycle
Establish the ISMS
Maintain and improve the
ISMS
Implement and operate the ISMS
Monitor and review the ISMS
Information security
requirements and
expectations
Managed information
security
Plan
Check
ActDo
Source: BSI Americas © 2003
21JBW Group Inc. – Information Security Consulting © 2005
Continuous ImprovementContinuous Improvement
After Action ReportingAfter Action Reporting•• Include Incident Response team world viewInclude Incident Response team world view•• Describe incident environmentDescribe incident environment•• Describe response methodologyDescribe response methodology•• Report response metricsReport response metrics•• Document results of after action analysisDocument results of after action analysis•• Recommend opportunities for improvementRecommend opportunities for improvement
22JBW Group Inc. – Information Security Consulting © 2005
Continuous Improvement Continuous Improvement (continued)(continued)
Recommend areas of improvement as Recommend areas of improvement as goals and objectives;goals and objectives;
•• Ranked by urgencyRanked by urgency•• ““Low hanging fruitLow hanging fruit””•• Greatest cost/benefit ratioGreatest cost/benefit ratio•• Legal or regulatory requirementsLegal or regulatory requirements•• Input to Policy DevelopmentInput to Policy Development
23JBW Group Inc. – Information Security Consulting © 2005
Mature StrategyMature Strategy
Successful Incident Response Successful Incident Response •• Incident response is guided by a well understood frameworkIncident response is guided by a well understood framework•• Mandated by management Mandated by management -- GovernanceGovernance•• Focused by risk assessment and impact analysisFocused by risk assessment and impact analysis•• Supported by clear policy and guidelinesSupported by clear policy and guidelines•• Well documented and frequently exercised incident response Well documented and frequently exercised incident response processes (mature IR plan)processes (mature IR plan)•• Vested incident response teamVested incident response team•• Team members understand roles, responsibilities and Team members understand roles, responsibilities and constituencyconstituency•• Develop metrics to understand impact to the business and Develop metrics to understand impact to the business and effectiveness of IR processeffectiveness of IR process•• Utilize knowledge gained from after action analysis and Utilize knowledge gained from after action analysis and reporting to continually improve the environment and the IR reporting to continually improve the environment and the IR processprocess
24JBW Group Inc. – Information Security Consulting © 2005
ReferencesReferences• A Book of Five Rings – The Classic Guide to Strategy, by Miyamoto MusashiTranslated by Victor Harris, Published by Overlook Press, Woodstock, NY• Incident Response, by Kenneth R. van Wyk and Richard Forno• British Standard BS7799-2:2002 Information Security Management Systems –Specification with guidance for use• BS ISOIEC17799:2000 BS7799-1:2000 Information Technology – Code of practice for information security management• ISO/IEC TR 13335 Information Technology – Guidelines for Management of IT Security (GMITS)• The Computer Emergency Response Team (CERTtm) – Carnegie Mellon University www.cert.org•ISO17799 Information Security Management System (ISMS) Users Group –www.xisec.com• International Organization for Standardization (ISO) www.iso.org• National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) csrc.nist.gov• The Committee of Sponsoring Organizations of the Treadway Commission (COSO) www.coso.org• International Register of Certificated Auditors (IRCA) www.irca.org• United Kingdom Accreditation Service (UKAS) www.ukas.org• BSI Americas – www.bsiamericas.com
25JBW Group Inc. – Information Security Consulting © 2005
JBW Group IncJBW Group IncInformation Security ConsultingInformation Security Consulting
Contact Information:Contact Information:John B. Weaver John B. Weaver –– CISSP, CISA, CISM, CPPCISSP, CISA, CISM, CPPPresident and CEO, Principle ConsultantPresident and CEO, Principle ConsultantJBW Group IncJBW Group IncPO Box 19393PO Box 19393Minneapolis, MN 55419Minneapolis, MN 55419612.719.2663612.719.2663