1

Incident Response:

What Information Security & Business

Continuity Have In Common

Risk Management Process Goal is to Reduce

• Regulatory Compliance

• Robustness

• Vendor Management

• Records Management

• Risk Management

• Continuity Management

• Health & Safety Mgt

• Quality Management

• Workplace Violence

• Death-on-Site

• Death-on-Study

• Loss of Key Staff

• Loss of Intellectual Property

• Human Error / Sabotage

• Security Breach

• Failure of LAN / WAN

• Malicious Code Attacks

• Loss of InformationSystem Integrity

• Loss of data /vital records

• Inability to recover data

• Interrupted services

• Animal Activists

• Natural Disaster

• Fire, Explosion

• Pipe Break, Flooding

• Hazardous Spill

• Regulatory Change

Enterprise Risk and Crisis Management

2

Integrating the Risk Management Processes

• Success of the plan execution depends on the integration with other

related risk management activities

– Emergency Response

– Security

– Risk Management

– Human Resources

– Environmental Health and Safety

– Crisis Management

Program Governance*• Someone in charge

• Policies& standards

• Formal Reporting Process

Competencies• Requires specialized skills

• Pre-Planning*• Project Initiation and Management

• Risk Evaluation and Control

• Business Impact Analysis (Help define RTO & RPO)

Planning*• Developing Business Continuity Strategies

• Emergency Response and Operations

• Developing and Implementing ]Business Continuity Plans

• Execution• Detection

• Evaluation

• Response

• Recovery

• Resume Operations

• Post Mortem

• Post-Planning*• Awareness and Training Programs

• Maintaining and Exercising Business Continuity Plans

• Public Relations and Crisis Communication

• Coordination with Public Authorities (Emergency Management)

Program Governance– Someone in charge– Policies& standards– Formal Reporting Process

• Competencies– Requires specialized skills

• Pre-Planning– Project Initiation and Management– Risk Evaluation– Business Impact Analysis (Identify high impact systems)

• Planning– Developing implementation strategies– Incident Response and Operations– Developing and Implementing Information Security Plans

• Execution• Detection• Evaluation• Response• Resolution• Resume Operations• Post Mortem

• Post-Planning• Awareness and Training• Maintaining and testing Information Security Plans• Coordination with Public Authorities (Law Enforcement)• Public Relations and Crisis Management (PII Disclosure)

Common Elements

Program Governance

Program Governance*

– Someone in charge

– Policies& standards

– Formal Reporting Process

Program Governance*

– Someone in charge

– Policies& standards

– Formal Reporting Process

3

Competencies

Competencies

– Requires specialized skills

Competencies

– Requires specialized skills

Pre-Planning

Pre-Planning*

• Project Initiation and

Management

• Risk Evaluation and

Control

• Business Impact Analysis

(Help define RTO & RPO)

Pre-Planning*

• Project Initiation and

Management

• Risk Evaluation and

Control

• Business Impact Analysis

(Help define RTO & RPO)

Planning

Planning*

• Developing Business

Continuity Strategies

• Emergency Response and

Operations

• Developing and

Implementing ]Business

Continuity Plans

Planning

– Developing implementation

strategies

– Incident Response and

Operations

– Developing and

Implementing Information

Security Plans

4

Execution

Execution

• Detection

• Evaluation

• Response

• Recovery

• Resume Operations

• Post Mortem

Execution

• Detection

• Evaluation

• Response

• Resolution

• Resume Operations

• Post Mortem

Post-Planning

Post-Planning*

• Awareness and Training

Programs

• Maintaining and Exercising

Business Continuity Plans

• Public Relations and Crisis

Communication

• Coordination with Public

Authorities (Emergency

Management)

Post-Planning

– Awareness and Training

– Maintaining and testing

Information Security Plans

– Coordination with Public

Authorities (Law

Enforcement)

– Public Relations and Crisis

Management (PII

Disclosure)

Information – In Terms of IS

• The term “information” as used here includes information in human, physical, and electronic forms

• Some information can be considered critical to the organization’s success, such as that relating to:

– products

– processes

– finance

– customers, and

– copyrighted or patented intellectual property

• Loss or compromise of certain information can be harmful or even fatal to an organization, in terms of:

– damage to its reputation

– its financial status, or

– its operational ability to function

5

Balanced Security Program

A balanced Information Security Program embraces a carefully selected

set of foundational principles such as the guidelines promulgated by

the Organization for Economic Cooperation & Development, or the

Generally Accepted Information Security Pervasive Principles

1.

http://www.oecd.org/document/42/0,2340,en_2649_201185_15582250

_1_1_1_1,00.html

2 http://www.issa.org/gaisp/gaisp.html

IS Steps

• Generally, the first step is to identify and list information assets, properly

classified with respect to confidentiality, integrity, availability, and privacy

considerations

– Why not availability, integrity, confidentiality & privacy?

• If it’s not available every thing else is moot

• A risk assessment considering vulnerabilities, probabilities, and impact, should

be conducted to enumerate the risks to which the information assets,

objectives, and functions are exposed

• After understanding the risks, strategies can be defined and implemented to

mitigate those risks

• Recognizing that total risk elimination is impossible, it is important for the

Board to establish tolerable thresholds for known risks. This enables the

Board to convey its level of tolerance for various risks to executive

management in a meaningful way

Governance

• Establish Risk Thresholds for Critical Information Assets and Information-

dependent Functions and Objectives

• Establish Broad Information Security Program Principles and Assign Senior

Management Accountabilities for Information Security

• Protect Stakeholder Interests Dependent on Information Security

• Ensure Appropriate Information Security Requirements for Strategic Partners

and Vendors

• Comply with External Information Security Requirements (e.g. Sarbanes-

Oxley, HIPAA, GLBA)

• Establish Requirements for Internal and External Audits of the Information

Security Program

• Specify the Information Security Metrics to be Reported to the Board

6

Management• Establish Information Security Management Policies and Controls and Monitor Compliance—

Governance

• Assign Information Security Roles, Responsibilities, Required Skills, and Enforce Role-based

Information Access Privileges—Governance

• Assess Information Risks & Actively Manage Risk Mitigation—Risk Evaluation & Control

• Ensure Implementation of Information Security Requirements for Strategic Partners and

Vendors—third party assessments and vendor viability studies

• Identify and Classify Information Assets—Availability, Integrity, Confidentiality & Privacy

• Ensure Business Continuity—included in ISO17799

• Approve Information Systems Architecture during Acquisition, Development, Operations, and

Maintenance—integration into business and system development life cycles

• Protect the Physical Environment—physical security, threat mitigation controls

• Ensure Internal and External Audits of the Information Security Program with Timely Follow-up

• Specify the Information Security Metrics to be Reported to Management—maturity model16

Technical

• User Identification and Authentication

• User Account Management

• User Privileges

• Configuration Management

• Event and Activity Logging and Monitoring

• Communications, Email, and Remote Access Security

• Malicious Code Protection, Including Viruses, Worms, and Trojans

• Software Change Management, including Patching

• Firewalls

• Data Encryption

• Backup and Recovery—Disaster Recovery Element

• Incident and Vulnerability Detection and Response—Incident Management

• Specify the Technical Metrics to be Reported to Management

• Information Security Program Elements and Supporting Metrics

SIRP

Section 1: Overview:

What this document covers and how to use itSection 2: Structure of the Security Incident Response Team (SIRT)

Types of incidents addressed by the SIRTVirus

Unauthorized access of PIILaw Enforcement Requests

Identity TheftDenial of Service

Other malicious code attacks

7

SIRP

Section 2: Phases of incident response process

Detection—Potential sourcesNotification—Composition based on type of incident

Documenting the incidentAssessment—Team mix per location-may include third

partiesPrioritization of proposed actions & notification of affected

partiesContainment—Roles/responsibilities per location

Disclosure Process—if PIIRecovery—Repairing the damage and resuming

normal business operationsPost-Mortem

SIRP

Section 2 cont’d:

Incident information management

PIINon-PII

InvestigativeNon-investigative

Briefing participants-Confidentiality of informationDecision trees per type of incident

Flow chart of actionsDocumenting the incident

Status ReportingCorporate, Operating Units, Third Parties,

Law Enforcement, Regulatory Contacts

SIRP

Section 3: Reference

Contact listsInformation owners and custodians-prioritized list

Precursors and indicatorsInformation sources

CERTOther related sites

Section 4: Forms

8

Terminology

• SIRP

– Security Incident Response Plan

• SIRT

– Security Incident Response

Team

• IS

– Security Center of Excellence

• OOP

– Office of Privacy

• GLBA

– Gramm, Leach, Bliley Act

• SB 1386

– Senate Bill 1386 (California

Legislation)

• PII

– Personally Identifiable

Information

• HD

– Help Desk

• BU / BUC

– Business Unit / Business Unit

Coordinator

• DoS, MalCode, IU, UA

– Denial of Service, Malicious

Code, Inappropriate Use,

Unauthorized Access

• ISP / ASP

– Internet / Application Service

Provider

Why Create A SIRP

• Regulatory requirements

– GLBA

– SB 1386

• Malicious code threats

• Intruder / Unauthorized Access threats

• Disclosure threats

Recent Activity

• The fastest growing crime in the nation

– As of a 2003 Gartner and Harris poll

• 19,178 per day, 799 per hour, 13.3 per minute

• California ranks 2nd in the nation (FTC Annual Report)

• Identity Theft Incidents

– Ford Credit (13,000 notified, 400 customers)

– Choice Point Breach (third party ring)

– AOL/PayPal ‘phishing’ (May 2004)

– Bank of America (backup tapes)

– Global Crossing (post of SSN on website)

9

The Likely Types of Threats

• Denial of Service

• Inappropriate use of systems

• Malicious Code

– Virus

– Worms

• Intruders / Unauthorized Access

– Identity Theft

– Access to consumer and customer information

• Personally Identifiable Information

– Company qualified PII

– SB 1386 defined PII

Introduction – Incident Response

• Incident Response is not rocket science, but:

– When an information security incident occurs there are basic steps that

should be remembered

Introduction (continued)

1. Remain calm—don’t panic

2. Enforce a ‘need to know’ policy—the perpetrator may be internal

3. Notify the right people and get help—it takes a team to succeed

4. Contain the problem—stop the crisis ASAP

5. Take good notes—documentation is critical

6. Use out of band communications (phone, fax, etc.)—you don’t know who’s watching and listening

7. Make a backup of the affected system(s) as soon as practicable—evidence & analysis

8. Get rid of the problem—correct the exposure

9. Get back in business

10. Conduct a post-mortem—understand what happened and potentially correct the exposure

10

SIRT Core Team

• Authorize a Central Point of Control to direct the SIRT activities

– Information Security Manager responsibilities

• Management and coordination of information security response

• Ensure incident is logged and documented

– Office of Privacy responsibilities

• Determine that PII was / was not involved

– If PII is involved, ensure appropriate response occurs

– Legal responsibilities

• Provide on-going support and legal guidance

– Interface with law enforcement

SIRT Organization

• Put the right people in the right place with the right preparation to make a

difference

– SIRT Core will identify the right people for the jobs

• Local Teams

• Centralized Teams

• Command Team

• Combination Teams

– Teams are to collect historical information

• Right people, right place, right preparation

– Ensure that all outside communications goes through the Corporate

Communications and Legal groups

– Follow the provided checklists and flowcharts as guidelines, not strict

practices

SIRT Organization

11

SIRT Team

Business UnitCoordinators

Sales

Development

RegulatoryAffairs

CorporateCommunications

CSCOperations

RiskManagement

Human

Resources

Internal

Audit

TCPRLegal

SCOE

OOP

SIRT

CORE

Triage Team

Support

Team

Third Party

(IBMDataCenter, IBM

DeskSide, TMS,NetSec, etc.)

SIRT Member Obligations

• ALL expanded SIRT Members are obligated to:

– Report incidents and activities to the SIRT Core

– Coordinate all actions and communications with the SIRT Core

Sales Development:

• Be able to directly contact distributors and wholesalers

• Coordinate with sales force on customer-facing applications

• Involved in decision making on systems that affect their groups

Regulatory Affairs:

• Provide support for incident response where Insurance (GAP, Credit Life) are

involved

Corporate Communications:

• Develop communications, jointly with the SIRT Core, relating to information

security incidents

• Prepare briefs and talking points for Company executives

• Coordinate and act as primary interface for all media

Other SIRT Members

12

CSC Operations

• They serve as the front end interface to the customer body and are responsible for updating the customers in case of any problems faced

• Involved in decision making on systems that affect their groups

Risk Management:

• Provide risk management insight

• Support law enforcement interface and coordination

Human Resources:

• Provide information to the SIRT regarding policies/procedures for incidents originating from human resources

• Provide direction for response to inappropriate use by internal resources

Internal Audit:

• Gather information from SIRT and provide support and guidance asneeded

• Guide SIRT in maintenance and audit of the SIRP

Other SIRT Members (continued)

Business Unit Coordinator (BUC):

• Coordinate response activities as directed by the SIRT and disseminate

incident information at the Business Unit Level

• Serve as the BU single point of contact for the IS and HELP DESK

• Engage and oversee Triage Team members within the business unit

• Evaluate the severity level of the incident (with the SIRT) and update if

necessary

Triage Team:

• Perform response activities as directed by the BUC and SIRT Leader

• Review audit trails, log files, file system contents, etc. to determine the

symptoms, cause, and the source of the incident

• Preserve data on system server(s) or workstation(s) (working with the site

“Physical Security Coordinator”)

• Triage the cause of the incident and restore affected systems to normal

Other SIRT Members (continued)

Support Team:

• Assisting SIRT team with logistics, communications, resources, purchasing

and anything else that may be required.

Third-party (for example):

• IBM Deskside- Provide desktop support, including file servers and print

servers; messaging and information protection (i.e., resolve trouble tickets for

desktop support assigned by the HD). Monitor HD information to determine if

a security incident is occurring

• External Consulting Experts-Provide support for computer forensics and

investigation, in the event that this service is required

• Internet Service Provider- In some instances, ISPs may provide assistance in

investigation such as locating and blocking the source of an attack; particularly

Denial of Service (DoS) attacks.

• NetSec- They may provide key information from logs and Intrusion Detection

Systems (IDS) to assist in forensic computer investigations that may also be

used as evidence in a civil or criminal case.

Other SIRT Members (continued)

13

Communications

• Excellent communications enables a successful response

• To avoid break-downs consider:

– Having a Central Point of Control

– Practicing “Need to Know” guidance

– Contact lists and methods (both backed up offsite)

– Incidents do NOT happen at convenient times

– Expect to receive appropriate communications

• Daily, weekly, hourly … as required

• Two Levels – Working / Management

– Communicate support needed to management and SIRT

– Various modes of communication may be used

– Provide communication, it is key for decision-making

Team Preparation

• Training

– Make It Ongoing

• Calendar planning/training dates at least annually

– Expand types of scenarios—consider new threats

– Conduct different types of exercises

• Desktop / Walk-through

• Operational

• Full-scale Simulations

• A properly trained team can help events flow more smoothly during an

incident

– Set up tools and techniques training

– Be prepared with some high capacity drives for backup storage

– Have third-party contacts in place

Team Preparation

14

System Administrators

• Sys Admins are key to discovering anomalies

• Guidelines include:

– Involvement and preparation

– Encouragement of regular system backups

– Utilize intrusion tools such as anomaly detection/logging and ensure tools

are turned-on

– Perform penetration testing regularly

• At least annually

• Usually only experienced incident handlers are capable of determining

whether or not the incident is genuine.

– Note: It may not be considered an incident unless it violates your

security policy

– Check for simple errors (e.g., system configuration, h/w failures,

user/system admin errors, etc.)

– Assess the evidence in detail by following the list of indicators

Determining Incident Actuality

• SIRP discusses the four major kinds of incidents that are highly likely

to occur:

– Denial of Service attacks (DoS)

– Malicious Code

– Unauthorized Access (UA)

– Inappropriate Usage (IU)

• Also, a general approach is included

Relevant Kinds of Incidents

15

Chain of Custody

• Referral for prosecution

– Either requested by the company

– Or by Law Enforcement

• Evidence collection and the Chain of Custody

– Identify / Tag pieces of evidence

» Number, date, signed notes/printouts

» Originals kept pristine

» Copies used for diagnosis

– Evidence under lock and key

• Two person control system

• Close coordination with an ISP/ASP is key

– Ask for aid in investigation

– Have ISP contact information readily available

– ISPs: keep a copy of logs

• Notify appropriate officials

– Immediate manager and Information Security Lead/Mgr should be notified

when the incident begins

ISP/ASP Coordination

• An on-site team may be deployed to gather information promptly and correctly

• Deploy a small team

• If possible, physically secure the area

• Use survey forms or an engineer’s notebook

• Review information from identification phase

• Keep the system(s) pristine

• Keep a low profile

• Avoid looking for the intruder with obvious methods

• Maintain standard procedures

• Avoid potentially compromised code

Containment

16

• Backup the system

– To avoid data destruction, backup entire system to new, unused media

– Safely store any backup tapes and media sources so that they will not be

lost and/or stolen

• Change passwords

– Passwords on all compromised systems should be changed (Strong

Passwords)

– If a sniffer is detected/suspected, change passwords of appropriate LANs

Containment (continued)

Risks

• Shut down or continue to run, both are tough decisions

– Input from end-users and senior management

– Provide information quickly to help the SIRT make decisions as quickly

as possible

– Review affected systems and neighboring systems-delays may allow

propagation of damage

– Provide recommendations to management and SIRT

• It is critical to keep all parties informed

– ‘Need to know’ basis

– End-user communications through the SIRT

– Status of IT systems tracked and reported

• Never allow “fault finding” to be an issue during incident handling – it

distracts the team’s response

– Encourage, motivate and commend co-workers for a job well done

– Factors leading to the incident will be identified and discussed during the

post-mortem

Briefings

17

• Start a log book (like an engineer’s notebook) using ink to record items,

such as:

• Assumptions and Observations

• Ideas and Hypotheses

• Dates and Times

• People contacted

• Actions taken

• Safeguard the evidence

• Gather latest configuration details

• Try to do this without modifying the targeted system

Collect information

• Some options are:

– Isolate the system from the network and initiate damage assessment and

analyze how the attack was executed

– Employ applicable protection techniques such as firewall and/or router

filters, move the system to a new IP location

– Perform system vulnerability analysis

• Using automated vulnerability assessment tools

Recovery

– Remove the cause of the incident

• Virus incidents:

– Use of commercially available automated virus eradication

software

– Malicious code infection:

• For well-known Trojan horses, & certain worms – commercial

software may suffice for eradication

• Ensure that there are effective procedures by which updates to

commercial anti-viral programs are available

Recovery (continued)

18

– Remove the cause of the incident (continued)

• Network intrusion:

– Determine whether attacker has modified the configuration on the

affected system

» If yes, immediately disconnect the system from network until the

completion of forensic analysis

» Unless, IS and/or law enforcement suggests otherwise in order to

monitor the attacker for subsequent action

– If attacker discovers your action, IS will decide on whether to call law

enforcement support

– Team members should refrain from direct contact with an attacker in

the absence of a written policy

Recovery (continued)

– Locate the most recent clean backup

• Search for a pre-intrusion backup

– Restore the system from backups or reload the entire system

– Validate the system with users

• Users’ approval: that data is intact and system is operational

• Management approval: when to restore operations

– IT will monitor closely to ensure system functionality and safety

Recovery (continued)

– Damage Assessment:

• Is the incident over?

• What critical assets were involved, if any?

• Assess financial impact

• Is continued operation possible?

• Re-evaluate any/all recent changes to your site’s configuration

• Track and report progress

Recovery (continued)

19

• Post-mortem reporting is essential to the whole process

– Start as soon as possible after the event

– Assign the task of lessons learned

– Include forms used

– Encourage review of the draft

– Attempt to reach consensus

– Conduct an official Post-mortem meeting

– Generate an executive summary document

– Management receives recommendations

– Implement management approved actions to avoid future incidents

Follow-up Reporting

Security Incident Response Plan

• The SIRP:

– Is a document providing guidance to

the Security Incident Response Team

– May be used for response to all information security incidents

Document Design

• The SIRP is comprised of seven sections to assist the Company SIRT through

an information security incident. The seven sections are:

– Overview

– Checklists

– PII Incident Response Procedures

– Forms

– Appendices

– Reference Sections

– Quick Reference Card

20

Overview

• The overview provides a high level description of the different phases of an

incident and describes the administrative duties in relation to the document

itself (i.e. scope, maintenance, testing, etc.)

• It introduces the concepts of an Incident Response and describes, at a high-

level, the operability of the Security Incident Response Team in relation to

other Company resources

Checklists

• The Checklists provide recommended procedures for handling a variety of incidents

• They cover such response areas as:

– Information Security Incident Response Process

– Initial Incident Handling

– SIRT Decision Points

– Denial of Service (DoS) Incidents

– Malicious Code Incidents

– Unauthorized Access Incidents

– Inappropriate Usage Incidents

– Multiple Component Incidents

– Generic Incidents

– Incident Post-Mortem Meeting

• Each Checklist has a flowchart that provides high-level decision points

PII Incident Response Procedures

• PII Incident Response is driven by GLBA and SB 1386

• The PII Incident Response Procedures cover

– Preparation for Notification

– Notification Procedures

• Acquisition

• Timing of Notification

• Contacting Law Enforcement

• Whom to Notify

• Coordination with Credit Reporting Agencies

• Contents of Notice

• Form and Style of Notice

• Means of Notification

21

Forms

• The Forms are designed to help various SIRT positions capture necessary data.

This section includes the following forms:

– First Responder Form

– SIRP Evidence Logging Guidelines

– Incident Response Status Report Summary

– Report Posting Matrix

– Phase Tracking Form

– Post-Mortem Report Example

– Sample Virus Communication Format

Appendices

• Appendices contain more fluid information that should be updated regularly.

These include:

– Terms and Definitions

– Post-Mortem Report Example

– Sample Virus Communication Format

– Incident Escalation Flowchart

– Business Contacts

– Data Owners and Custodians List

Reference

• The Reference Section contains reference information that may be useful to

members of the SIRT and the Triage Teams

• It provides more detailed information about specific threats and is available as

an educational tool to enhance the understanding of those participating in the

incident response process

22

Quick Reference Card

• Two Quick Reference Cards (QRC)

– SIRT – QRC

• The Quick Reference Card (QRC) is designed to assist the SIRT toquickly decide what Severity Level to assign to an incident

• Each level is described along with a brief description to assist in identifying the types of incidents

– Field – QRC

• The Field – QRC is designed to allow field operations (CSC Managers, etc.) to determine the type of incident and what response is appropriate

• This is limited to the four areas of information security (DoS, MalCode, IU, UA)

SIRP Disclaimer

• On the front cover of the SIRP

– Disclaimer: Throughout this Security Incident Response Plan (SIRP)

guidance, procedures and direction are given. At no time is it to be implied

or presumed that the guidance, procedures or direction are all

encompassing. Rather, this SIRP is a guide to handling information

security incidents, each of which is different in nature and scope. It is up

to the team of incident responders to fulfill their roles and to use their

judgment and knowledge as to the best response and actions to take for

that incident.

Actual Incident Direction

• If this is an actual incident go

DIRECTLY to the Forms and

Checklists areas of this Plan for

direction in dealing with the

event.

– Go to Page 3 of the SIRP

STOP

23

General Incident Escalation

• Appendix D: Incident Escalation Flowchart

– Go to Appendix D

• Here is a graphical representation of how an incident will be escalated and the

SIRT notified of an event

• Specific contact information for the Help Desk and the IS are provided

First Responder Form

• First Responder Form

– Go to the Forms Section, Form 1

• Form Instructions

– Instructions are provided as guidelines on using the Form

• Incident Classification

– Rather than providing a checklist the QRC is referenced

• The QRC is a Quick Reference Card on the LAST PAGE of the SIRP

First Responder Form (continued)

24

First Responder Form (continued)

First Responder Form (continued)

SIRP Logging Guidelines

• General guidance on evidence logging

– Go to Forms, Form 2 – SIRP Logging Guidelines

• Specifics determined on a case-by-case basis by the SIRT Team Members

• Guidelines deal with:

– Collection Guidance

– Documentation Guidance

– Capturing and Preserving Documentation

25

Incident Handling

• In every incident there is a general guideline provided by the SIRP

– It is guidance and not a strict methodology

– Go to the Checklists Section, Checklist 2

Initial Incident Handling Flowchart

O b t a in r e l e v a n t a n dd e t a i le d i n f o r m a t io n

f r o m t h e r e p o r t i n g

p a r t y ( ie s )

W h o r e p o r t e d t h e

i n c i d e n t ?

O b t a i n d e t a i l e d a n ds p e c i f i c i n f o r m a t i o n

I s i t a v a l id

c o m p u t e r s e c u r i t y

i n c id e n t ?

A n a ly z e t h e

s y m p t o m s r e p o r t e d

L o o k f o r c o -

r e l a t e d

i n f o r m a t i o n w i t h in

t h e in f o r m a t io n

o b t a i n e d

P e r f o r m r e s e a r c h

o n s y m p t o m s

r e p o r t e d

R e p o r t a c t i o n s t a k e n t o H e l p

D e s k a n d r e a s o n i n g , w h o u p d a t e s

t h e r e p o r t e d i n f o r m a t io n a n d

c l o s e s t h e t r o u b l e t i c k e t , a f t e r

r e p o r t in g i t i n F o r m 3 - I n c id e n t

R e s p o n s e S t a t u s R e p o r t S u m m a r y

A s s e s s i n c id e n ts e v e r i t y l e v e l b a s e d

o n p o t e n t i a l

b u s in e s s i m p a c t

E s c a la t e t h e i n c id e n t

t o S I R T L e a d e r i f i t

f i t s c e r t a i n c r i t e r i a

D o e s i t n e e d t o

b e e s c a la t e d ?

I n d ic a t e t o S I R T L e a d e r

i f i n c i d e n t i n c lu d e s P I I

a n d /o r m u l t ip le b u s i n e s s

u n i t s

D o e s i t i n v o l v e P I I

?

C o n t a c t T F S O o P a f t e r e s c a la t i n g t o I T S e c u r i t y a n d

i n v o k e P I I I n c id e n t R e s p o n s e p r o c e d u r e ( F o l l o w in g t h e

C h e c k l i s t s s e c t i o n )

I n c i d e n t R e p o r t( S e e F o r m 3 -

I n c i d e n t R e p o r t )

N o t i f y a f f e c t e d B U

C o o r d in a t o r s o f

i n c i d e n t

S e t u p a c o n f e r e n c e

c a l l a n d c o n t a c t a l lp a r t i c ip a n t s t o

d is c u s s t h e i n c i d e n t

( S I R T L e a d e r , T F S

H e lp D e s k ,a f f e c t e d B U

C o o r d i n a t o r s )

E v a lu a t e a n a ly s i s

a n d i n i t ia l i n c i d e n t

s e v e r i t y

P e r f o r m

a d d i t i o n a l

r e s e a r c h , i f

n e c e s s a r y

C o n t a c t T F S H e lp

D e s k t o u p d a t e

i n c i d e n t s e v e r i t y

l e v e l

( S I R T L )

R e c o n f i r m t h ea s s e t s t h a t h a v e

b e e n a f f e c t e d a n d

f o r e c a s t t h e a s s e t s

t h a t m i g h t b e

a f f e c t e d ( S I R T L ,B U C o o r d in a t o r )

D O N O T C O N T I N U E

W I T H T H E

C H E C K L I S T

D o e s i t i n v o l v e

P I I ?

C la s s i f y t h e

in c i d e n t

b a s e d o nt h e a n a l y s i s

C o n t a c t a n da s s e m b le t r i a g e a n d

s u p p o r t t e a m s a s

n e c e s s a r y

T r a c k a n d r e p o r t

t o p r i m a r y B U

C o o r d i n a t o r A L L

a c t i o n s t a k e n

I n c id e n t R e p o r t

( Se e F o r m 3 -I n c id e n t R e p o r t )

E n s u r e

r e p o r t i s

u p d a t e d

c o n s t a n t l y

C o m p l e t e t h eC o n t a in , N o t i f y ,

R e c o v e r p h a s e s b yo b t a i n i n g a n d

f o l lo w i n ga p p r o p r i a t e

i n c i d e n t c a t e g o r yc h e c k l i s t , e l s ef o l l o w G e n e r i c

I n c id e n t C h e c k l i s t( C h e c k l i s t 1 1 -

G e n e r i c I n c i d e n t s )

E n d P r o c e s s

T h ir d -p a r t y

O t h e r

N o

N o

Y e s

L e g e n d :P r o c e s s D e c is io n T e r m in to r R e p o r t

D E T E C TW i th i n 0 - 2 H r s

Y e s

N o

In f o r m a t io n

S o u r c e /G r o u p / T e a m

C o n n e c t o r t o /f r o m a n o t h e r p r o c e s s

A = C o n n e c t o r f r o m 3 r d P a r t y R e s p o n s e P r o c e s s

O O P = C o n n e c t o r t o O O P f o r P I I I n c id e n t

R e s p o n s e P r o c e d u r e

P a ge C o n n e c t o r

Y e s - S B 1 3 8 6C o n t a c t T F S O O P

Y e s - T F S P II

C o n t a c t T F S O o P

a f t e r e s c a l a t in g t o

I T Se c u r i t y a n d

i n v o k e P I I

I n c i d e n t R e s p o n s e

p r o c e d u r e

( F o l l o w in g t h e

C h e c k l i s t s s e c t i o n )

T F SP I I

N o

I n c id e n t R e p o r t

( Se e F o r m 3 -

I n c id e n t R e p o r t )

O O P

Unauthorized Access Checklist

• Each ‘type’ of incident is provided an actionable checklist

– Go to the Checklists, Checklist 8

• Review the items captured in the Checklist

• Provides assistance during an incident

• Allows for SIRT and Triage Team to stay connected at a high level

– Go to the Unauthorized Access Flowcharts

• Immediately following Checklist 8

26

Post-Mortem Process

• Go to Checklist 12 – Incident Post-Mortem

– Steps that can be taken to complete a Post-Mortem of the incident

– Not all steps are appropriate for every incident

– A format example can be found in the Appendices

• See Appendix B, Post-Mortem Report Example

COLE EMERSON MBCP CPP

Director

Information Risk Management

KPMG LLP

Mr. Emerson a Sacramento California based Director specializing in Business Continuity Management serves as the BCM Product Champion for the Western Region and is one of the national thought leaders for BCM within KPMG. Cole has over 29 years of experience in developing and evaluating many aspects of enterprise risk management, including Business Continuity, Crisis Management, Disaster Recovery, Data and Vital Records Management and Project Risk Management for national and international businesses and governments.

Background & Qualifications

Mr. Emerson received a Bachelor of Science in Business Administration from the University of Redlands and his Master Business Continuity Professional (MBCP) certification – one of less than 80 globally - from DRII. The American Society certifies Mr. Emerson for Industrial Security (ASIS) as a Board Certified Protection Professional. Prior to joining KPMG, Cole managed his own firm for 12 years, where he developed and implemented Business Continuity, Crisis Management, and Disaster Recovery programs for Fortune 500 companies. Mr. Emerson has extensive and unique experience utilizing business continuity plans and managing recovery teams in actual major disasters.

Contact details

Email: chemerson@kpmg.com

Office: 1-916-554-1777

Cell: 1-916-296-9747