Your SlideShare is downloading. ×
ISACA Belgium CERT view 2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

ISACA Belgium CERT view 2011

1,163
views

Published on

Presentation given at ISACA Belgium in November 2011 at CERT.BE on ISACA's view on CERT

Presentation given at ISACA Belgium in November 2011 at CERT.BE on ISACA's view on CERT

Published in: Technology, Business

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,163
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
60
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Content to Emphasize: The CISM candidate must have a thorough understanding of the knowledge statements in order to pass the CISM exam. Please explain that the learning objectives/tasks are what a CISM is expected to be able to do. The tasks will relate to knowledge statements. It may be helpful to explain that the CISM must know what the core business of the organization is if they hope to demonstrate to executive management how security can help to enable the business. Section one of the chapter in the 2011 manual provides an overview of the content as well as the task and knowledge statements. The relationship of the task statements to the knowledge statements is included on pages 232-238. In addition, an explanation is provided for each knowledge statement, it’s related key concepts and reference to content in the section of the chapter. Review Manual Reference Pages: pgs. 230-239
  • Incident management is defined as the capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits. Incident response is the operational capability of incident management that identifies, prepares for and responds to incidents to control and limit damage; provide forensic and investigative capabilities; and maintain, recover and restore normal operations as defined in service level agreements (SLAs). Review Manual Reference Page: pg. 238
  • Content to Emphasize: Incident Management and Response is the operational part of risk management. It is the activities that take place as a result of unanticipated attacks, losses, theft, accidents or any other unexpected adverse events that occur as a result of the failure or lack of controls. The purpose of incident management and response is to manage and respond to unexpected disruptive events with the objective of controlling impacts within acceptable levels. These events can be technical, such as attacks mounted on the network via viruses, denial of service, or system intrusion, or they can be the result of mistakes, accidents, or system or process failure. Disruptions can also be caused by a variety of physical events such as theft of proprietary information, social engineering, lost or stolen backup tapes or laptops, environmental conditions such as floods, fires, or earthquakes, and so forth. Any type of incident that can significantly affect the organization’s ability to operate or that may cause damage must be considered by the information security manager and will normally be a part of incident management and response capabilities. As with other aspects of risk management, risk and business impact assessments (BIA) form the basis for determining the priority of resource protection and response activities. Incident management and response is a part of business continuity planning (BCP), as is disaster recovery. As “first responders” to adverse information security-related events, the objective is to prevent incidents from becoming problems, and to prevent problems from becoming disasters. Review Manual Reference Pages: pg. 250
  • Outcomes of good incident management and response will be an organization that can deal effectively with unanticipated events that might threaten to disrupt the business. The organization will have sufficient detection and monitoring capabilities to ensure incidents are detected in a timely manner. There will be well-defined severity and declaration criteria as well as defined escalation and notification processes. Personnel will be trained in the recognition of incidents, the application of severity criteria, and proper reporting and escalation procedures. The organization will have response capabilities that demonstrably support the business strategy by being responsive to the criticality and sensitivity of the resources protected. It will serve to proactively manage risks of incidents appropriately in a cost-effective way and will provide integration of security related organizational functions to maximize effectiveness. It will provide monitoring and metrics to gauge performance of incident management and response capabilities. It will periodically test its capabilities and ensure that information and plans are updated regularly, are current, and accessible when needed. Review Manual Reference Page: pg. 253
  • An incident management charter is a document that formally establishes the IMT, and documents its responsibility to manage and respond to security incidents. The charter also delegates the authority to take necessary actions and to make decisions prior to, during, and after an incident. As incident management is broader than incident response activities, the charter should also provide authority to implement proactive measures, vulnerability management and other incident management services. Sections of the charter document should include: • Mission —Describes the overall goals of the team and the activities that fall within the team’s scope of responsibility. This might include such tasks as responding to all incidents, minimizing their impact, and collecting data and evidence for further investigation and potential prosecution. • Scope —Defines the constitution of the IMT. The scope may be different for each organization. Some common choices of IMT scope include: • Organizational structure —Documents how the IMT is organized from a management perspective, how the members of the team are managed and how the team reports to upper-level management. • Information flow —Describes how information flows before, during and after an incident. First, this section describes how a potential security incident is reported to the IMT, and provides contact information for doing so. Second, it describes how the IMT communicates information about an incident to: – Senior management – Company employees – Business partners (e.g., suppliers, collaborators) – Regulatory organizations – Other stakeholders – The public • Services provided —Documents the specific services the IMT provides. This is based on the mission statement (above), and may include services such as incident response, policy development, compliance testing and user education. Review Manual Reference Pages: pg. 254
  • The approach to incident response may vary depending on the situation, but the goals are constant. These goals include: • Containing the effects of the incident so that damage and losses do not escalate out of control • Notifying the appropriate people for the purpose of recovery or to provide needed information • Recovering quickly and efficiently from security incidents • Minimizing the impact of the security incident • Responding systematically and decreasing the likelihood of recurrence • Balancing operational and security processes • Dealing with legal and law enforcement-related issues Review Manual Reference Page: pg. 255
  • As is the case with other aspects of information security, senior management commitment is critical to the success of incident management and response. It is a component of risk management and the same rationale and justification will serve. A business case can be made so that effective incident management and response may be a less costly option than attempting to implement controls for all possible conditions. Incident management and response can be part of the trade-off that may reduce the cost of risk management efforts by allowing higher levels of acceptable risk. Adequate incident response, in combination with effective information security, creates a practical risk management solution that may be more cost effective in the long run and the most prudent resource management decision. Review Manual Reference Pages: pg. 255
  • Since incident management and response serves as the fire brigade, ambulance service and emergency room for the organization’s information assets, it must effectively address a wide range of possible unexpected events, both electronic and physical. It will need to have well-developed monitoring capabilities for key controls, whether procedural or technical, to provide early detection of potential problems. It will have personnel trained in assessing the situation, capable of providing triage, managing effective responses that maximize operational continuity and minimize impacts. The incident managers will have made provisions to capture all relevant information and apply previously learned lessons. They will know when a disaster is imminent and have well-defined criteria, the experience, knowledge, and the authority to invoke the disaster recovery processes necessary to maintain or recover operational status. Review Manual Reference Page: pgs. 255 - 256
  • Review Manual Reference Pages: pgs. 258 - 259
  • The incident response plan must be backed by well-defined policies, standards and procedures. A documented set of policies, standards and procedures is important to: • Ensure that incident management activities are aligned with the IMT mission • Set correct expectations • Provide guidance for operational needs • Maintain consistency and reliability of services The lack of suitable policies and supporting standards may hinder incident management capabilities. Review Manual Reference Page: pg. 259
  • Content to Emphasize: An IMT usually consists of an information security manager, steering committee/advisory board, permanent/dedicated team members and virtual/temporary team members. The information security manager usually leads the team. In larger organizations, it may be more effective to appoint a separate IRT leader/manager that focuses on responding to incidents. Above the information security manager, there is a set of senior management executives in a group called security steering group (SSG) or security advisory board. The SSG is responsible for approving the charter and serves as an escalation point for the IMT. The SSG also approves deviations and exceptions to normal practice. Review Manual Reference Page: pg. 260
  • Review Manual Reference Pages: pg. 261
  • Review Manual Reference Pages: pg. 261
  • Review Manual Reference Pages: pg. 261
  • Content to Emphasize: To build an incident response team with capable incident handlers, organizations need people with certain skill sets and technical expertise, with abilities that enable them to respond to incidents, perform analysis tasks, and communicate effectively with the constituency and external contacts. They must also be competent problem solvers, must easily adapt to change, and must be effective in their daily activities. The set of basic skills that incident response team members need can be separated into two broad groups: • Personal skills —Major parts of the incident handler’s daily activity. • Technical skills Review Manual Reference Page: pgs. 260 - 262
  • Most organizations have some sort of incident response capability, either ad hoc or formal. The information security manager must identify what is already in place as a basis for understanding the current state. There are many ways to do this; several methods that can be used are: • Survey of senior management, business managers and IT representatives —A survey is useful to find out how the incident management capability has been performed in the past or perception of such capability. • Self-assessment —Self-assessment is conducted by the IMT against a set of criteria to develop understanding on current capabilities. This is the easiest to do without requiring participation from many stakeholders. The disadvantage of this method includes the limited view on current capability and may not be in line with stakeholders’ perceived capability. • External assessment or audit —The most comprehensive option that combines interviews, surveys, simulation and other assessment techniques in the assessment. This option is normally used for an organization that already has an adequate incident management capability but is further improving it or reengineering the processes. Review Manual Reference Page: pg. 264
  • Past incidents (both internal and external) can provide valuable information on trends, types of events, and business impacts. This information is used as an input to the assessment of the types of incidents that must be considered and planned for. Review Manual Reference Page: pg. 264
  • Risk tolerance is the same as acceptable risk which, in the final analysis, must be determined by management. Determining acceptable impacts in financial terms and then working backward to determine risk levels may help facilitate an understanding by management. The information security manager should be aware that incident management also includes business continuity and disaster recovery planning (DRP). DRP generally comprises the plan to recover an IT processing facility or by business units to recover an operational facility. The recovery plan must be consistent with and support the overall IT plan of the organization. Overall, response management is equal to the combination of BCP, DRP, and continuity of business operations and incident response, although each part, depending on the complexity of the organization, does not necessarily have to be integrated into one single plan. To have a viable response management planning strategy, however, each must be consistent with the other. Review Manual Reference Page: pg. 264
  • No matter how good controls may be, the risk of an incident cannot be completely eliminated. Accordingly, the information security manager should oversee the development of response and recovery plans to ensure that they are properly designed and implemented. These plans should, as described previously, be based on the BIA. Next, response and recovery strategies should be identified and validated and then approved by senior management. Once senior management approves these strategies, the information security manager should oversee the development of the response and recovery plans. During this process, response and recovery teams should be identified and team members mobilized. The plans must provide the teams guidance concerning the steps to be taken to recover business processes. Review Manual Reference Page: pgs. 264 - 265
  • Recovery time objective (RTO) is defined as the amount of time allowed for the recovery of a business function or resource to a predefined operational level after a disaster occurs. Exceeding this time would mean organization survival would be threatened or the losses would exceed acceptable levels. RTOs are determined as a result of management deciding the level of acceptable impact as a result of the unavailability of information resources. Generally, the optimal RTO is the point where the ongoing cost of loss is equal to the cost of recovery. Review Manual Reference Page: pg. 265
  • The following model proposed by Schultz, Brown and Longstaff in a University of California technical report “Responding to Computer Security Incidents: Guidelines for Incident Handling” (UCRL-ID-104689, July 23, 1990), presents the six- phase model of incident response including preparation, identification, containment, eradication, restoration and follow- up: • Preparation —This phase prepares an organization to develop an incident response plan prior to an incident. Sufficient preparation facilitates smooth execution. • Identification —This phase aims to verify if an incident has happened and find out more details about the incident. Reports on possible incidents may come from information systems, end users or other organizations. Not all reports are valid incidents, as they may be false alarms or may not qualify as an incident. • Containment —After an incident has been identified and confirmed, the IMT is activated and information from the incident handler is shared. The team will conduct a detailed assessment and contact the system owner or business manager of the affected information systems/assets to coordinate further action. The action taken in this phase is to limit the exposure. • Eradication —When containment measures have been deployed, it is time to determine the root cause of the incident and eradicate it. Eradication can be done in a number of ways: restoring backups to achieve a clean state of the system, removing the root cause, improving defenses and performing vulnerability analysis to find further potential damage from the same root cause. • Recovery —This phase ensures that affected systems or services are restored to a condition specified in the RPO. The time constraint up to this phase is documented in the RTO. • Lessons learned —At the end of the incident response process, a report should always be developed to share what has happened, what measures were taken and the results after the plan was executed. Part of the report should contain lessons learned that provide the IMT and other stakeholders valuable learning points of what could have been done better. These lessons should be developed into a plan to enhance the incident management capability and the documentation of the incident response plan. Review Manual Reference Page: pgs. 265 - 266
  • • Preparation —This phase prepares an organization to develop an incident response plan prior to an incident. Sufficient preparation facilitates smooth execution. Activities in this phase include: – Establishing an approach to handle incidents – Establishing policy and warning banners in information systems to deter intruders and allow information collection – Establishing communication plan to stakeholders – Developing criteria on when to report incident to authorities – Developing a process to activate the incident management team – Establishing a secure location to execute the incident response plan – Ensuring equipment needed is available Review Manual Reference Page: pgs. 265 - 266
  • • Identification —This phase aims to verify if an incident has happened and find out more details about the incident. Reports on possible incidents may come from information systems, end users or other organizations. Not all reports are valid incidents, as they may be false alarms or may not qualify as an incident. Activities in this phase include: – Assigning ownership of an incident or potential incident to an incident handler – Verifying that reports or events qualify as an incident – Establishing chain of custody during identification when handling potential evidence – Determining the severity of an incident and escalating it as necessary Review Manual Reference Page: pgs. 265 - 266
  • • Containment —After an incident has been identified and confirmed, the IMT is activated and information from the incident handler is shared. The team will conduct a detailed assessment and contact the system owner or business manager of the affected information systems/assets to coordinate further action. The action taken in this phase is to limit the exposure. Activities in this phase include: – Activating the incident management/response team to contain the incident – Notifying appropriate stakeholders affected by the incident – Obtaining agreement on actions taken that may affect availability of a service or risks of the containment process – Getting the IT representative and relevant virtual team members involved to implement containment procedures – Obtaining and preserving evidence – Documenting and taking backups of actions from this phase onward – Controlling and managing communication to the public by the public relations team Review Manual Reference Page: pgs. 265 - 266
  • • Eradication —When containment measures have been deployed, it is time to determine the root cause of the incident and eradicate it. Eradication can be done in a number of ways: restoring backups to achieve a clean state of the system, removing the root cause, improving defenses and performing vulnerability analysis to find further potential damage from the same root cause. Activities in this phase include: – Determining the signs and cause of incidents – Locating the most recent version of backups or alternative solutions – Removing the root cause. In the event of worm or virus infection, it can be removed by deploying appropriate patches and updated antivirus software. – Improving defenses by implementing protection techniques – Performing vulnerability analysis to find new vulnerabilities introduced by the root cause Review Manual Reference Page: pgs. 265 - 266
  • • Recovery —This phase ensures that affected systems or services are restored to a condition specified in the RPO. The time constraint up to this phase is documented in the RTO. Activities in this phase include: – Restoring operations to normal – Validating that actions taken on restored systems were successful – Getting involvement of system owners to test the system – Facilitating system owners to declare normal operation Review Manual Reference Page: pgs. 265 - 266
  • • Lessons learned —At the end of the incident response process, a report should always be developed to share what has happened, what measures were taken and the results after the plan was executed. Part of the report should contain lessons learned that provide the IMT and other stakeholders valuable learning points of what could have been done better. These lessons should be developed into a plan to enhance the incident management capability and the documentation of the incident response plan. Activities in this phase include: – Writing the incident report – Analyzing issues encountered during incident response efforts – Proposing improvement based on issues encountered – Presenting the report to relevant stakeholders Review Manual Reference Page: pgs. 265 - 266
  • Content to Emphasize: Training the response teams is essential; the information security manager should develop event scenarios and test the response and recovery plans to ensure that team participants are familiar with their tasks and responsibilities. Through this process the teams will also identify the resources they require for response and recovery, providing the basis for equipping the teams with needed resources. An added value of training is detecting and modifying ambiguous procedures to achieve clarity and determining recovery resources that may not be adequate or effective. IMT members should undergo the following training program: • Induction to the IMT —The induction should provide the essential information required to be an effective IMT member. • Mentoring team members regarding roles, responsibilities and procedure —Existing IMT members can provide valuable knowledge to aid new members after induction. To facilitate effective mentoring, the buddy system can be used, pairing new members with experienced members. • On-the-job training —May serve to provide an understanding of company policies, standards, procedures, available tools and applications, acceptable code of conduct, etc. • Formal training —Team members may require formal training to attain an adequate level of competence necessary to support the overall incident management capability. Review Manual Reference Page: pg. 266
  • Content to Emphasize: The information security manager must understand the basic processes required to recover operations from incidents such as DoS attacks, natural disasters and other potential disruption of business operations. Disaster recovery (DR) has traditionally been defined as the recovery of IT systems after disruptive events such as hurricanes and floods. Business recovery is defined as the recovery of the critical business processes necessary to continue or resume operations. Business recovery includes not only disaster recovery, but also all other required operational aspects. Review Manual Reference Page: pg. 266
  • Content to Emphasize: Various strategies exist for recovering critical information resources. The most appropriate strategy is likely to be one that demonstrably addresses probable events with acceptable recovery times at a reasonable cost. Depending on the size and complexity of the organization and the state of recovery planning, the information security manager should understand that the development of an incident management and response plan is likely to be a difficult and expensive process that may take considerable time. It may require the development of several alternative strategies encompassing different capabilities and costs to be presented to management for a final decision. Each alternative must be sufficiently developed to provide an understanding of the trade-offs between scope, capabilities and cost. It may be prudent to consider outsourcing some or all of the needed capabilities and determine costs for the purpose of comparisons. Once the decision is made for which strategy best meets management’s objectives, it provides the basis for the development of detailed incident management and response plans. Review Manual Reference Page: pg. 267
  • The plan must identify teams and define their assigned responsibilities in the event of an incident. To implement the strategies that have been developed for business recovery, key decision making, technical and end-user personnel to lead teams need to be designated and trained. Depending on the size of the business operation, the team may consist of a single person. The involvement of these teams depends on the level of the disruption of service and the types of assets lost, compromised, damaged or endangered. A matrix should be developed that indicates the correlation between the functions of the different teams. This will facilitate estimating the magnitude of the effort and activating the appropriate combination of teams. Examples of the kinds of teams usually needed include the: • The emergency action team —Designated fire wardens and “bucket crews” whose function is to deal with fires or other emergency response scenarios • Damage assessment team— Qualified individuals who assess the extent of damage to physical assets and make an initial determination regarding what is a complete loss vs. what is restorable or salvageable • Emergency management team —Responsible for coordinating the activities of all other recovery teams and handling key decision making • Relocation team —Responsible for coordinating the process of moving from the hot site to a new location or to the restored original location • Security team —Often called a computer security incident response team, it is responsible for monitoring the security of systems and communication links, containing any ongoing security threats, resolving any security issues that impede the expeditious recovery of the system(s), and assuring the proper installation and functioning of every security software package. Review Manual Reference Page: pgs. 269 - 270
  • The recovery plan must also cover notification responsibilities and requirements. It should also include a directory of key decision-making personnel, information systems owners, end users and others required to initiate and carry out response efforts. This directory should also include multiple communication methods (telephone, cell phone, text, e-mail, etc). The directory should include at least the following individuals: • Representatives of equipment and software vendors • Contacts within companies that have been designated to provide supplies and equipment or services • Contacts at recovery facilities, including hot site representatives or predefined network communications rerouting services • Contacts at offsite media storage facilities and the contacts within the company who are authorized to retrieve media from the offsite facility • Insurance company agents • Contacts at human resources (HR) and/or contract personnel services • Law enforcement contacts Review Manual Reference Page: pg. 270
  • The information security manager, helped by the recovery team’s organization, should implement periodic testing of response and recovery plans. Testing should include: • Developing test objectives • Executing the test • Evaluating the test • Developing recommendations to improve the effectiveness of testing processes as well as response and recovery plans • Implementing a follow-up process to ensure that the recommendations are implemented Review Manual Reference Pages: pg. 273
  • Content to Emphasize: The information security manager should also implement a tracking process to ensure that any recommendations resulting from testing are implemented in a timely fashion. Personnel should be tasked with making any necessary changes. The information security manager needs to understand that testing recovery and response plans need to include infrastructure and critical applications. With today’s organizations’ heavy reliance on information technology, the information security manager is not only tasked with securing these systems during normal operations, but also during disaster events. Based on the risk assessment and business impact information, the information security manager can identify critical applications that the organization requires and the infrastructure needed to support them. To ensure that these are recovered in a timely fashion, the information security manager needs to perform appropriate recovery tests. Review Manual Reference Page: pgs. 273 - 274
  • Review Manual Reference Page: pg. 274
  • To ensure the response and recovery plans are executed as required, the plans need a facilitator or director to direct the tasks within the plans, oversee their execution, liaise with senior management and make decisions as necessary. The information security manager may or may not be the appropriate person to act as the recovery plan director or coordinator, but must be certain the role is assigned to someone who can perform this critical function. Developing appropriate response and recovery strategies as well as alternatives is an essential component in the overall process of executing the response and recovery plans. It will provide reasonable assurance that the organization can recover its key business functions in the event of a disruption and that it responds appropriately to a security-related incident. Review Manual Reference Page: pg. 275
  • Having a good legal framework is important to provide options to the organization. The information security manager should develop data preservation procedures with the advice and assistance of legal counsel, the organization’s managers and knowledgeable law enforcement officials to assure the procedures provide sufficient guidance to IT and security staff. With the assistance of these specialized resources, the information security manager can develop procedures to handle security events in a manner that preserves evidence, ensures legally sufficient chain of custody, and is appropriate to meet business objectives. There are a few basic actions the information systems staff must understand. This includes doing nothing that could change/modify/contaminate potential or actual evidence. Trained forensics personnel can inspect computer systems that have been attacked, but if the organization’s personnel contaminate the information, the data may not be admissible in a court of law and/or the forensics staff may be unable to use the data in investigating an incident. Computer forensics, gathering and handling information and physical objects relevant to a security incident in a systematic manner so that they can be used as evidence in a court of law should usually be performed by a specially trained staff, third-party specialists, security incident response team or law enforcement officials. Review Manual Reference Pages: pg. 278
  • Content to Emphasize: The information security manager should understand that any contamination of evidence following an intrusion could prevent an organization prosecuting a perpetrator and limit its options. In addition, the modification of data can inhibit computer forensic activity necessary to identify the perpetrator and all the changes and effects resulting from an attack. It may also preclude the possibility of identifying how the attack occurred, and how the security program should be changed and enhanced to reduce the risk of a similar attack in the future. The usual recommendation for a computer that has been compromised is to disconnect the power to maximize the preservation of evidence on the hard disk. This is not universally accepted as the best solution, and the information security manager will need to establish the most appropriate approach for their organization and train personnel in the appropriate procedures. Whichever procedure is used to secure a compromised system, trained personnel must use forensic tools to create a bit-by-bit copy of any evidence that may exist on hard drives and other media to ensure legal admissibility. To avoid the potential for alteration or destruction of incident-related data, any testing or data analysis should be conducted using this copy. The original should be given to a designated evidence custodian who must store it in a safe location. The original media must remain unchanged and a record of who has had custody of it—the chain of custody—must be maintained for the custody to be admissible in court. Review Manual Reference Page: pgs. 278 - 279
  • Content to Emphasize: The information security manager should manage postevent reviews to learn from each incident and the resulting response and recovery effort and to use the information to improve the organization’s response and recovery procedures. The information security manager may perform postevent reviews to identify causes and corrective actions with the help of third-party specialists if detailed forensic skills are needed. Review Manual Reference Page: pg. 279
  • The American National Standards Institute (ANSI) has awarded accreditation under ISO/IEC 17024 to the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certification programs. ANSI reaccredited these ISACA programs in 2008. ANSI’s accreditation: Promotes the unique qualifications and expertise our certifications provide Protects the integrity of our certifications and provides legal defensibility Enhances consumer and public confidence in the certifications and the people who hold them Facilitates the mobility of certified individuals across borders or industries Accreditation by ANSI signifies that ISACA’s procedures meet ANSI’s essential requirements for openness, balance, consensus and due process. To maintain ANSI accreditation, certification bodies such as ISACA are required to consistently adhere to a set of requirements or procedures related to quality, openness and due process. The American National Standards Institute (ANSI) is a private, nonprofit organization that administers and coordinates the US voluntary standardization and conformity assessment system. Its mission is to enhance both the global competitiveness of US business and the US quality of life by promoting and facilitating voluntary consensus standards and conformity assessments systems, and safeguarding their integrity. Importantly, this accreditation and adherence to ISO/IEC 17024 is being used as an industry benchmark. For example, the U.S. Department of Defense (DoD), to ensure a knowledgeable and skilled workforce, has developed a directive that requires every full and part-time military service member, defense contractor, civilian and foreign employee with privileged access to a DoD system, regardless of job series or occupational specialty, to obtain a commercial certification credential that has been accredited by the American national Standards Institute (ANSI). With this accreditation, we anticipate that significant opportunities for CISMs will continue to open in the US, and we believe it will be a strong motivator for similar recognition by governmental entities outside the US.
  • Transcript

    • 1. Incident Management and Response
    • 2. CISO Tasks
      • Develop & implement processes for detecting, identifying, analyzing and responding to information security incidents
      • Establish escalation & communication processes & lines of authority
      • Develop plans to respond to & document information security incidents
      • Establish capability to investigate information security incidents
      • Develop process to communicate with internal parties & external organizations
      • Integrate information security incident response plans with disaster recovery (DRP) & business continuity plan (BCP)
      • Organize, train, equip teams to respond to information security incidents
      • Periodically test & refine information security incident response plans
      • Manage response to information security incidents
      • Conduct reviews to identify causes of information security incidents, develop corrective actions & reassess risk
    • 3. Definition
      • What is incident management and response?
      • Incident management is the capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits
      • Incident response is the operational capability of incident management that identifies, prepares for and responds to incidents to control and limit damage; provide forensic and investigative capabilities; and maintain, recover and restore normal operations as defined in service level agreements (SLAs).
    • 4. Incident Management and Response Overview
      • Purpose = manage impact of unexpected disruptive events to acceptable levels
      • Possible disruptions may be
        • Technical
        • Physical
        • Environmental
      • Any type of incident that can significantly affect organization’s ability to operate or that may cause damage must be considered by the CISO
    • 5. Outcomes of Incident Management and Response
      • Outcomes of good incident management & response include organization that
        • Can deal effectively with unanticipated events
        • Has sufficient detection & monitoring capabilities
        • Has well defined severity & declaration criteria as well as defined escalation & notification processes
        • Has response capabilities that demonstrably support business strategy
        • Proactively manages risks of incidents appropriately
        • Periodically tests its capabilities
        • Provides monitoring & metrics to gauge performance of incident management & response capabilities
    • 6. Scope & Charter of Incident Management
      • Scope/charter document
        • Formally establishes IMT
        • Documents its responsibility to manage & respond to security incidents
      • Sections of charter should include:
        • Mission
        • Scope
        • Organizational structure
        • Information flow
        • Services provided
    • 7. Responsibilities
      • Incident response goals include:
        • Containing effects of incident ( damage & losses do not escalate out of control)
        • Notifying appropriate people for purpose of recovery or to provide needed information
        • Recovering quickly & efficiently from security incidents
        • Minimizing impact of info security incident
        • Responding systematically & decreasing likelihood of recurrence
        • Balancing operational & security processes
        • Dealing with legal & law enforcement-related issues
    • 8. Senior Management Commitment
      • Senior management is critical to success of incident management & response
      • Incident management & response
        • Is component of risk management
        • Needs same level of support from senior management
    • 9. Desired State
      • Incident management & response requires:
        • Well-developed monitoring capabilities for key controls
        • Personnel trained in assessing situation, capable of providing triage, managing effective responses
        • Managers that have made provisions to capture all relevant information & apply previously learned lessons
        • Managers who
          • Know when disaster is imminent
          • Have well-defined criteria
          • Have experience, knowledge, and authority to invoke disaster recovery processes necessary to maintain or recover operational status
    • 10. Challenges in Developing an Incident Management Plan
      • Challenges may be result of
        • Lack of management buy-in & organizational consensus
        • Mismatch to organizational goals & structure
        • IMT member turnover
        • Lack of communication process
        • Complex & wide plan
    • 11. Policies and Standards
      • Documented set of incident response policies, standards and procedures is important to:
        • Ensure incident management activities are aligned to IMT mission
        • Set correct expectations
        • Provide guidance for operational needs
        • Maintain consistency & reliability of services
    • 12. Personnel
      • IMT usually consists of
        • CISO (who usually leads the team)
        • Steering committee/advisory board
        • Permanent/dedicated team members
        • Virtual/temporary team members
      • Composition of incident response staff will vary from team-to-team & will depend on number of factors such as:
        • Mission & goals of incident response program
        • Nature & range of services offered
        • Available staff expertise
        • Constituency size & technology base
        • Anticipated incident load
        • Severity or complexity of incident reports
        • Funding
    • 13. Roles and Responsibilities
    • 14. Roles and Responsibilities (continued)
    • 15. Roles and Responsibilities (continued)
    • 16. Skills
      • Basic skills for incident response team members can be separated into 2 groups:
      • Personal skills
        • Communication
        • Presentation skills
        • Ability to follow policies and procedures
        • Team skills
        • Integrity
        • Self understanding
        • Coping with stress
        • Problem solving
        • Time management
      • Technical skills
        • Technical foundation skills—Require basic understanding of underlying technologies used by organization
        • Incident handling skills—Require understanding of techniques, decision points & supporting tools required in daily activities
    • 17. Current State of Incident Response Capability
      • Ways to identify current state of incident response capability include:
      • Survey of senior management, business managers and IT representatives
      • Self-assessment
      • External assessment or audit
    • 18. History of Incidents
      • Past incidents provide valuable information on trends, types and business impacts
        • Can be used as input for assessment of IMT’s performance
        • Used as input to assessment of types of incidents that must be considered & planned for
    • 19. Risk Tolerance
      • Risk tolerance = same as acceptable risk which must be determined by management
      • CISO should be aware that incident management also includes BCP & DRP
      • Overall response management = combination of BCP, DRP, continuity of business operations and incident response
    • 20. Integrating a BIA Into Incident Response
      • CISO needs to
        • Oversee development of response & recovery plans* to ensure they are properly designed & implemented
        • Ensure resources required to continue business are identified & recorded
        • Identify & validate response and recovery strategies
        • Obtain senior management approval of strategies
        • Oversee development of comprehensive response & recovery plans
      * Should be based on BIA
    • 21. Integrating RTO & RPO Into Incident Response
      • RTO = amount of time allowed for recovery of business function or resource after disaster occurs
      • Effective incident management = includes resolving incidents with acceptable interruption window (AIW)
      • RPO = measurement of point prior to outage to which data are to be restored
          • Describes state of recovery that should be achieved to facilitate acceptable outcomes
    • 22. Elements of an Incident Response Plan
      • CIAC & SANS Institute propose following incident response phases:
        • Preparation
        • Identification
        • Containment
        • Eradication
        • Recovery
        • Lessons learned
    • 23. Elements of an Incident Response Plan
      • Preparation —prepares organization to develop incident response plan prior to incident. Sufficient preparation facilitates smooth execution.
      • Activities:
      • Establishing approach to handle incidents
      • Establishing policy & warning banners in information systems to deter intruders & allow information collection
      • Establishing communication plan to stakeholders
      • Developing criteria on when to report incident to authorities
      • Developing process to activate incident management team
      • Establishing secure location to execute incident response plan
      • Ensuring equipment needed is available
    • 24. Elements of an Incident Response Plan
      • Identification —aims to verify if incident has happened & find out more details about incident. Reports on possible incidents may come from information systems, end users or other organizations. Not all reports are valid incidents, as they may be false alarms or may not qualify as incident.
      • Activities:
      • Assigning ownership of incident or potential incident to incident handler
      • Verifying reports or events qualify as incident
      • Establishing chain of custody during identification when handling potential evidence
      • Determining severity of incident & escalating it as necessary
    • 25. Elements of an Incident Response Plan
      • Containment —After incident has been identified & confirmed, IMT is activated & information from incident handler is shared. Team will conduct detailed assessment & contact system owner or business manager of the affected information systems/assets to coordinate further action. The action taken is to limit the exposure.
      • Activities:
      • Activating incident management/response team to contain incident
      • Notifying appropriate stakeholders affected by incident
      • Obtaining agreement on actions taken that may affect availability of a service or risks of the containment process
      • Getting IT representative & relevant virtual team members involved to implement containment procedures
      • Obtaining & preserving evidence
      • Documenting & taking backups of actions from this phase onward
      • Controlling & managing communication to public by PR team
    • 26. Elements of an Incident Response Plan
      • Eradication —When containment measures have been deployed, it is time to determine root cause of incident & eradicate it. Eradication can be done in number of ways: restoring backups to achieve clean state of system, removing root cause, improving defenses & performing vulnerability analysis to find further potential damage from same root cause.
      • Activities:
      • Determining signs & cause of incidents
      • Locating most recent version of backups or alternative solutions
      • Removing root cause. In event of worm or virus infection, it can be removed by deploying appropriate patches & updated antivirus software.
      • Improving defenses by implementing protection techniques
      • Performing vulnerability analysis to find new vulnerabilities introduced by root cause
    • 27. Elements of an Incident Response Plan
      • Recovery —ensures affected systems or services are restored to condition specified in RPO. The time constraint is documented in RTO.
      • Activities:
      • Restoring operations to normal
      • Validating that actions taken on restored systems were successful
      • Getting involvement of system owners to test system
      • Facilitating system owners to declare normal operation
    • 28. Elements of an Incident Response Plan
      • Lessons learned
      • At end of incident response process, report should always be developed to share what has happened, what measures were taken & results after plan was executed. Part of report should contain lessons learned that provide IMT & other stakeholders valuable learning points of what could have been done better. These lessons should be developed into plan to enhance incident management capability & documentation of incident response plan.
      • Activities:
      • Writing incident report
      • Analyzing issues encountered during incident response efforts
      • Proposing improvement based on issues encountered
      • Presenting report to relevant stakeholders
    • 29. Organizing, Training and Equipping the Response Staff
      • Every IMT member should get following training:
        • Induction to IMT—basic information about the team and its operations
        • Mentoring re. team’s roles, responsibilities and procedures
        • On the job training
        • Formal training
    • 30. Recovery Planning and Business Recovery Processes
      • DRP is traditionally defined as recovery of IT systems when disastrous events
      • BCP is defined as recovery of critical business processes necessary to continue or resume operations.
      • Each of these planning processes typically includes several main phases, including:
        • Risk & business impact assessment
        • Response & recovery strategy definition
        • Documenting response & recovery plans
        • Training that covers response a&recovery procedures
        • Updating response & recovery plans
        • Testing response & recovery plans
        • Auditing response & recovery plans
    • 31. Recovery Strategies
      • Most appropriate strategy = one that demonstrably addresses probable events with acceptable recovery times at a reasonable cost
      • Development of incident management & response plan = difficult & expensive process that may take considerable time
        • development of several alternative strategies
        • prudent to consider outsourcing some or all of the needed capabilities
    • 32. Incident Management and Response Teams
      • Number of teams depends upon size of organization & magnitude of operations - examples include:
      • Emergency action team
      • Damage assessment team
      • Emergency management team
      • Relocation team
      • Security team
    • 33. Notification Requirements
      • Plan should include call tree with prioritized list of contacts
      • Representatives of equipment & software vendors
      • Contacts within companies have been designated to provide supplies & equipment or services
      • Contacts at recovery facilities, including hot site representatives or predefined network communications rerouting services
      • Contacts at offsite media storage facilities & contacts within company who are authorized to retrieve media from offsite facility
      • Insurance company agents
      • Contacts at human resources (HR) & contract personnel services
      • Law enforcement contacts
    • 34. Periodic Testing of the Response and Recovery Plans
      • Testing must include:
      • Developing test objectives
      • Executing test
      • Evaluating test
      • Developing recommendations to improve effectiveness of testing processes as well as response & recovery plans
      • Implementing follow-up process to ensure recommendations are implemented
    • 35. Testing for Infrastructure and Critical Business Applications
      • After test objectives have been defined, CISO must:
        • Ensure independent third party observer is present to monitor & evaluate the test 
        • Implement tracking process to ensure any recommendations resulting from testing are implemented in timely fashion
        • Know about disaster recovery testing for infrastructure & critical business applications
    • 36. Type of Tests
      • Tests that are progressively more challenging:
      • Table-top walk-through of plans
      • Table-top walk-through with mock disaster scenarios
      • Testing infrastructure & communication components of plan
      • Testing infrastructure & recovery of critical applications
      • Testing infrastructure, critical applications & involvement of end users
      • Full restoration & recovery tests with some personnel unfamiliar with systems
      • Surprise tests
    • 37. Ensuring Execution as Required
      • Facilitator or director* is needed to
        • Direct tasks within plans
        • Oversee plan execution
        • Liaise with senior management
        • Make decisions as necessary
      • Defining appropriate recovery strategies & alternatives is important in overall process
      * - The CISO often serves as facilitator
    • 38. Establishing Procedures
      • If an incident occurs:
        • Information security staff needs documented procedures so that information can be properly recorded and preserved
        • CISO should develop data/evidence preservation procedures
        • Information systems staff must understand basic procedures, including taking no action that could change/modify/contaminate potential or actual evidence
      • Initial response by system administrator should include:
      • Retrieving information needed to confirm incident
      • Identifying scope & size of affected environment (e.g., networks, systems, applications)
      • Determining degree of loss, modification or damage (if any)
      • Identifying possible path or means of attack
    • 39. Requirements for Evidence
      • CISO must know
        • Requirements for collecting & presenting evidence
        • Rules for evidence, admissibility of evidence, and quality and completeness of evidence
        • Consequences of any contamination of evidence following info security incident
    • 40. Post-event Reviews
      • Post-event reviews = critical part of incident management process
      • CISO should:
        • Manage post-event reviews to learn from completed tasks & to use information to improve IMT’s response procedures
        • Consider enlisting help of third-party specialists if detailed forensic skills are needed
    • 41. Contact Information
      • Mr. Marc Vael
      • CISA, CISM, CGEIT, CISSP, ITIL Service Manager, Prince2 Foundation
      • Vice President
      • ISACA Belgium Chapter
      • Koningsstraat 109-111
      • 1000 Brussels
      • Belgium
      • [email_address]
      • [email_address]
    • 42. November 2011 ISACA