This document discusses information security incident management. It defines what constitutes an information security incident, such as unauthorized access or denial of service attacks. It also outlines the key aspects of an incident response program, including preparation, detection, response, and documentation. The document explains the roles of incident response coordinators, handlers, and teams. It also covers investigation practices, evidence handling, and federal and state data breach notification requirements.

1. Security Program and
Policies
Principles and Practices
by Sari Stern Greene
Chapter 11: Information Security Incident Management

2. Copyright 2014 Pearson Education, Inc. 2
Objectives
❑ Prepare for an information security incident
❑ Identify an information security incident
❑ Recognize the stages in incident management
❑ Properly document an information security incident
❑ Understand federal and state data breach notification
requirements
❑ Consider an incident from the perspective of the victim
❑ Create policies related to information security incident
management

3. Organizational Incident Response
■ Incidents drain resources and can be expensive
■ The right time to develop an Incident Response plan
is before an incident occurs
■ Incident preparedness includes having policies,
strategies, plans, and procedures
Copyright 2014 Pearson Education, Inc. 3

4. What Is an Incident?
■ Information security incident is an adverse
event that threatens business security and/or
disrupts service
■ Every organization should be familiar with
and prepared to respond to the following core
group of attacks
❑ Intentional unauthorized access or use
■ Occurs when an insider or an intruder gains logical or
physical access without permission
Copyright 2014 Pearson Education, Inc. 4

5. What Is an Incident? Cont.
❑ Denial of service (DoS) attacks
■ Prevents or impairs the normal authorized functionality
of the organization’s networks, systems, or applications
❑ Malware
■ Code that is covertly inserted into another program with
the intent of gaining authorized access or causing harm
❑ Inappropriate usage
■ Occurs when authorized user performs actions that
violate company policy, agreement, law, or regulation
Copyright 2014 Pearson Education, Inc. 5

6. Incident Severity Levels
■ Three severity levels
❑ Level 1
■ Incidents that could cause significant harm
❑ Level 2
■ Compromise of or unauthorized access to noncritical
systems or information
❑ Level 3
■ Situations that can be contained and resolved by the
information system custodian, data/process owner, or
HR personnel
Copyright 2014 Pearson Education, Inc. 6

7. How Are Incidents Reported?
■ Employees should be required to report all
actual and suspected incidents
■ The employee who discovers an incident may
not be trained or an IT technician
■ The culture of the company needs to
incorporate this point so that employees don’t
feel like they may be ridiculed if they are
wrong
Copyright 2014 Pearson Education, Inc. 7

8. What Is an Incident Response
Program
■ Composed of policies, plans, procedures,
and people
■ An incident response plan (IRP) is a roadmap
of reporting, responding, and recovery
actions
■ Incident response procedures are detailed
steps needed to implement the plan
Copyright 2014 Pearson Education, Inc. 8

9. What Is an Incident Response
Program Cont.
■ Activities in the IRP
❑ Preparation
❑ Detection and investigation
❑ Initial response
❑ Containment
❑ Eradication and recovery
❑ Notification
❑ Closure and post-incident activity
❑ Documentation and evidence-handling
requirements
Copyright 2014 Pearson Education, Inc. 9

10. Key Incident Management
Personnel
■ Incident response coordinator (IRC)
❑ Central point of contact for all incidents
❑ Verifies and logs the incident
■ Designated incident handlers (DIHs)
❑ Senior-level personnel who have crisis
management and communication skills,
experience, and knowledge to handle an incident
■ Incident response team (IRT)
❑ Trained team of professionals that provide
services through the incident lifecycle
Copyright 2014 Pearson Education, Inc. 10

11. Investigation and Evidence
Handling
■ Incidents should be thoroughly documented
■ Depending on the incident it may be
necessary to contact local, state, or federal
law enforcement
❑ The IRT team should be acquainted with
applicable law enforcement representatives
■ Incident handlers that perform forensic
analysis should be familiar with forensic
principles, guidelines, procedures, tools, and
techniques
Copyright 2014 Pearson Education, Inc. 11

12. Investigation and Evidence
Handling cont.
■ The process of digital forensic includes
❑ Collection
❑ Examination
❑ Analysis
❑ Reporting
■ Chain of custody applies to physical, digital, and
forensic evidence
❑ It is used to prove that evidence has not been altered
■ Evidence should be stored in a secure location
Copyright 2014 Pearson Education, Inc. 12

13. Data Breach Notification
Requirements
■ Federal requirements that address the
protection of personally identifiable
information (PII)
❑ Gramm-Leach- Bliley Act (GLBA)
❑ Health Information Technology for Economic and
Clinical Data Act (HITECH)
❑ The Federal Information Security Management
Act (FISMA)
❑ Federal Education Rights and Privacy Act
(FERPA)
Copyright 2014 Pearson Education, Inc. 13

14. State Breach Notification Laws
■ 46 states, the District of Columbia, Puerto
Rico, and the Virgin Islands have enacted
notification laws designed to protect their
residents
■ States with no security breach laws include
❑ Alabama
❑ Kentucky
❑ New Mexico
❑ South Dakota
Copyright 2014 Pearson Education, Inc. 14

15. Copyright 2014 Pearson Education, Inc. 15
Summary
■ An information security incident threatens business
security and disrupts operations. Examples of incidents
include unauthorized access, DoS attacks, malware, and
inappropriate usage.
■ Companies should have an incident response plan that
details how incidents should be handled and the roles
and responsibilities of key personnel
■ In most situations data breaches of PII should be
reported to the appropriate authority and affected parties
notified