• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Breach response
 

Breach response

on

  • 460 views

Best Practices For Incident Response Management in SME vs. Enterprise

Best Practices For Incident Response Management in SME vs. Enterprise

Statistics

Views

Total Views
460
Views on SlideShare
460
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • A best practice discussion on what a solid Incident Response Plan (IRP) should look like, as well as an analysis of the ISO 27001 standards, with particular attention on the differences between SME’s and large organizations.
  • The content sections are: Structure Risk Assessment and Treatment Security Policy Organization of Information Security Asset Management Human Resources Security Physical Security Communications and Ops Management Access Control Information Systems Acquisition, Development, Maintenance Information Security Incident management Business Continuity Compliance
  • 13. INFORMATION SECURITY INCIDENT MANAGEMENT 13.1 REPORT INFORMATION SECURITY EVENTS AND WEAKNESSES 13.1.1 REPORT INFORMATION SECURITY EVENTS AS QUICKLY AS POSSIBLE 13.1.2 REPORT SECURITY WEAKNESSES IN SYSTEMS AND SERVICES 13.2 MANAGE INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS 13.2.1 ESTABLISH INCIDENT RESPONSE RESPONSIBILITIES AND PROCEDURES 13.2.2 LEARN FROM YOUR INFORMATION SECURITY INCIDENTS 13.2.3 COLLECT EVIDENCE TO SUPPORT YOUR ACTIONS

Breach response Breach response Presentation Transcript

  • Best Practices for Incident Response Management in SME vs. Enterprise Claudiu Popa, CISSP CISA CIPP CRMP President, Informatica Corporation
  • on the agenda
    • Diverging approaches to incident response
    • The ISO 27001 framework in perspective
    • The regulatory perspective
    • Where incident response is headed
    • Discussion
  • Diverging approaches
    • IM is compliance driven
    • Regular testing
    • Effective controls
    • Broad training
    • Some PR preparation
    • IM is a cost centre
    • Limited testing
    • Ad-hoc controls
    • Inconsistent training
    • No PR program
    Large Enterprise SME
  • ISO 27000 Define overall scope of program Look for IM in security policy Conduct a risk assessment or BIA Manage identified risks Select IM-specific controls Report on IM control & ISIRT* effectiveness *Information Security Incident Response Team Structure Risk Assessment and Treatment Security Policy Organization of Information Security Asset Management Human Resources Security Physical Security Communications and Ops Management Access Control Information Systems Acquisition, Development, Maintenance Information Security Incident management Business Continuity Compliance 001 Audit 002 Content
  • Incident Management Process
    • Report information security events and weaknesses
    • Report information security events as quickly as possible
    • Report security weaknesses in systems and services
    • Manage information security incidents and improvements
    • Establish incident response responsibilities and procedures
    • Learn from your information security incidents
    • Collect evidence to support your actions
  • 1. Report information security events and weaknesses
    • Formal reporting procedures
    • All parties are trained
    • Reports must allow for corrective action
    • Communicate escalation procedures
    • Designated point of contact
    • Reporting is encouraged
    • To designated point of contact
    • Remedial action/escalation takes place
    Large Enterprise SME
  • 2. Report information security events as quickly as possible
    • Specific management reporting channels
    • Prompt reporting required
    • Formal event reporting
    • Point of contact must be available
    • Response must be timely
    • Employees must be accountable for reporting
    • Contractors are responsible for reporting
    • Test reporting procedure effectiveness
    • Establish duress alarms
    • Must handle diverse violations/events
    • Employees required to report promptly
    • Report must be specific and detailed
    • Events and incidents reported equally
    • 3 rd parties not always trained
    • Common procedures for various events
    Large Enterprise SME
  • 3. Report security weaknesses in systems and services
    • All staff and contractors/3 rd pties must record and report suspected weaknesses
    • Staff must not test suspected weaknesses
    • QA, IT and independent auditors are expected to probe for weaknesses in systems and services
    Large Enterprise SME
  • 4. Manage information security incidents and improvements
    • IM is consistently/effectively applied
    • Staff is responsible for reporting
    • Continually improve monitoring
    • Improve evaluation standards
    • Strive for consistent application
    • Establish monitoring standards
    • Streamline testing/assessment
    Large Enterprise SME
  • 5. Establish incident response responsibilities and procedures
    • Establish handling procedures
    • Continually improve monitoring
    • Collect adequate evidence to support legal action
    • Ensure quick and orderly response
    • Recovery procedures require integrity checking
    • Coordinate with external organizations
    • Establish repeatable process
    • Notify third parties
    • Assign trained staff
    • Collect/store evidence
    • Establish recovery procedures
    Large Enterprise SME
  • 6. Learn from your information security incidents
    • Monitor and quantify types, volume, costs and impacts of incidents
    • Develop mechanisms to baseline and evaluate incidents/patterns
    • Apply learning to reduce frequency and impact of future incidents
    • Improve security policy
    • Derive learning and procedures from committee involvement
    • Action improvement through new information derived as part of discovery process
    • Improve security policy
    Large Enterprise SME
  • 7. Collect evidence to support your actions
    • Collect and retain auditable evidence
    • Retain evidence appropriately
    • Ensure that systems can reliably produce evidence
    • Test controls and processes for proper evidence handling
    • Establish a strong evidence trail
    • Protect data integrity
    • Maintain logs that track evidence
    • Ensure admissibility of evidence in relevant jurisdictions
    • Create and retain ample documentation
    • Use manual controls to supplement automatic logging/monitoring
    • Store evidence for predefined period of time
    • Ensure common time-stamping and consistency
    Large Enterprise SME
  • Discussion Where is incident management headed? What is the evolution of breach response? Are there any competitive / financial benefits?
  • about
    • activity
    • security leadership & strategy
    • privacy & security risk assessments
    • awareness, education & policy
    • contact
    • [email_address]
    • www.ClaudiuPopa.com
    • blog.ClaudiuPopa.com
    • twitter.ClaudiuPopa.com
    • linkedIn.ClaudiuPopa.com