Part 1 - An Overview of Incident Response Policy
Video Activity
This lesson offers an introduction into incident response policy. An incident response policy is important as it guides the Incident Response Team on what actions need to be taken during certain incidents. This lesson touches upon: · Policy creation and implementation · Defining risk and deciding on what needs security · Calculating loss
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson offers an introduction into incident response policy. An incident response policy is important as it guides the Incident Response Team on what actions need to be taken during certain incidents. This lesson touches upon: · Policy creation and implementation · Defining risk and deciding on what needs security · Calculating loss
Video Transcription
00:03
>> Hello. Welcome to Cybrary.
00:03
My name is Max Alexander,
00:03
and I will be your subject matter expert for
00:03
incident response, and advanced forensics.
00:03
Today, we're going to talk about
00:03
incident response policy.
00:03
The first thing we're going to talk
00:03
about is the creation or
00:03
implementation of policy, and procedures.
00:03
A lot of organizations,
00:03
especially if you're just getting started,
00:03
you may not have an adequate policy, or procedure.
00:03
It's important to clarify
00:03
policies, and procedures so individuals who
00:03
are joining your incident response team will
00:03
have a direction, and guidance of where they should go.
00:03
Basically, incident response policy will guide
00:03
the incident response team of
00:03
what actions they should take during incidence.
00:03
The policy should also place a higher priority on
00:03
incidents that pose a greater risk to the organization.
00:03
Essentially, if you're having all types of
00:03
incidents, or all kinds of incidents,
00:03
you're not going to want to wait
00:03
>> every incident equally.
00:03
>> Obviously, certain incidents would
00:03
have a higher priority than others.
00:03
Maybe a DDoS attack is
00:03
something you would want to devote a lot of time,
00:03
money, resources, and energy,
00:03
into trying to investigate, and remediate,
00:03
whereas maybe a spam email wouldn't want
00:03
the full force of the incident response investigation.
00:03
The response should also correspond to the priority
00:03
of the incident, and the risk
00:03
for the overall organization.
00:03
Again, that's just going back
00:03
and saying that if it's not really that big of a risk,
00:03
why bother devoting all of that time, and
00:03
money into investigating something
00:03
that's more or less trivial.
00:03
Defining risk, and deciding what needs security,
00:03
that should be the paramount task
00:03
in your risk assessment policy.
00:03
Ideally, we would want to secure
00:03
everything, and anything that we
00:03
could if money were no object,
00:03
but essentially,
00:03
what a lot of organizations will be
00:03
constrained by is money, and time.
00:03
Using this security Uber Alles method is not always
00:03
the best way to go about securing
00:03
things because we do have resource constraints.
00:03
We essentially can't secure everything,
00:03
and it does not provide the benefit for the cost.
00:03
We have to understand
00:03
what is this we want to protect that we value the most.
00:03
That's going to fall under asset valuation.
00:03
In order to do asset valuation,
00:03
we have to look at the total cost of
00:03
an asset to include the purchase price,
00:03
development, and maintenance cost, advertising cost,
00:03
cost for support, repair,
00:03
and replacement as well as the cost
00:03
due to loss of reputation, and so on.
00:03
Essentially, it is just asking if this asset
00:03
were to be destroyed, or you had to replace this asset,
00:03
you're having to think of all of the total cost
00:03
that it would require to replace that asset,
00:03
and that's keeping in mind
00:03
what we talked about previously,
00:03
is that there may be some hidden cost as well.
00:03
If you're heading to replace certain assets,
00:03
trying to think of the total cost
00:03
of research, and development,
00:03
media attention, and all of
00:03
those things that you may not necessarily think
00:03
up to be learned, and replace that asset.
00:03
The next thing that we're going to talk
00:03
about when we're looking at how to
00:03
secure, and what needs security is defining a threat.
00:03
Threat is a person, or a thing that is
00:03
likely to cause danger, or damage.
00:03
That could be an employee who doesn't have
00:03
a good idea of
00:03
information security, and clicks on an email,
00:03
it could be an external threat,
00:03
such as a hacker, or someone who wants to
00:03
break into your building, and steal your files,
00:03
all of those things would
00:03
necessarily be considered threats.
00:03
Then vulnerability is something
00:03
that is open to attack, harm, or damage.
00:03
It could be maybe an unpatched operating system
00:03
or an unpatched flaw that you have in software.
00:03
It could be a lock on a door
00:03
>> that doesn't work properly.
00:03
>> Those are vulnerabilities.
00:03
Then lastly is risk.
00:03
Risk is going to be defined as
00:03
the possibility that a threat
00:03
will exploit that vulnerability.
00:03
What is the possibility that
00:03
someone in your office might click on a link
00:03
that downloads some malicious software, and
00:03
wipes out their laptop, and puts ransomware on it?
00:03
Or what is the risk that some hacker is going
00:03
to exploit that vulnerability
00:03
in your unpatched software, and destroy your system?
00:03
[NOISE] How do we calculate loss?
00:03
Loss would essentially be able to help guide
00:03
the organization on prioritizing
00:03
what needs to be protected, and what doesn't.
00:03
Exposure factor is the first thing
00:03
that we would have to look at.
00:03
An exposure factor is defined as the percent
00:03
of loss of an asset if the risk materializes.
00:03
That's essentially expressed in
00:03
a numerical fashion of 0.0,
00:03
which is nothing, to 1.0,
00:03
which would be 100 percent.
00:03
Then the single loss expectancy.
00:03
Single loss expectancy is the cost of
00:03
a single realized risk against an asset,
00:03
and that's expressed in a dollar sign.
00:03
When you look at single loss expectancy,
00:03
that's essentially saying,
00:03
if this risk were to occur,
00:03
how much damage do I think
00:03
>> that I'm going to experience?
00:03
>> Then the annualized rate of occurrence is
00:03
the frequency occurrence of
00:03
the type of incident occurring.
00:03
1.0 is going to equate to one time a year,
00:03
2.0 is going to equate to two times a year,
00:03
0.1 is going to be one time in 10 years etc.
00:03
That just helps you calculate
00:03
the frequency of something occurring.
00:03
Then your annualized loss expectancy.
00:03
That's going to be calculated by multiplying
00:03
your single loss expectancy
00:03
with your annualized rate of occurrence.
00:03
For instance, if you had a single loss expectancy of
00:03
$75,000, and you were
00:03
expecting that to occur twice within that year,
00:03
then essentially you would end up
00:03
with $150,000 of damage.
00:03
Likewise, if you had something that was $75,000 of
00:03
damage, and you were expecting that to
00:03
occur once in 100 years,
00:03
you would have $75 for your annualized loss expectancy.
00:03
What you're going to do with
00:03
those numbers is essentially,
00:03
you're going to look at how much
00:03
>> it would cost to secure
00:03
>> something in order to prevent that from occurring.
00:03
You're looking at trying to prevent
00:03
that last example that's
00:03
expected to cost you a loss of $75 a year,
00:03
but you're essentially devoting
00:03
$100,000 into preventing that loss.
00:03
That's not a very good return on investment.
00:03
You never want the amount of
00:03
resources, and time that you're devoting to
00:03
something to cost more
00:03
than you expect it to cost your business.
Up Next
Similar Content
