Part 6 - The Role of the Incident Response Manager

Video Activity

This lesson discusses the role of the Incident Response Manager. This is the employee within an organization who is responsible for overseeing how an incident is handled. They need to have a mix of both strong technical and communication skills. Other roles discussed in this lesson include: · Incident Response Lead · Incident Response Team In addit...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson discusses the role of the Incident Response Manager. This is the employee within an organization who is responsible for overseeing how an incident is handled. They need to have a mix of both strong technical and communication skills. Other roles discussed in this lesson include: · Incident Response Lead · Incident Response Team In addition to their roles, those in incident response also need the support of and must communicate well with their management, information assurance, IT Support, legal department as well as public affairs and media relations, human resources, business continuity planning and finally security and facilities management.

Video Transcription
00:04
>> We're going to transition to
00:04
the people within the incident response team.
00:04
Within that policy, you want to
00:04
have that incident response manager.
00:04
that incidence response manager,
00:04
he's going to be that single employee
00:04
who may have one or more designated alternatives,
00:04
but he should be in charge of
00:04
the overall incident response.
00:04
In your fully outsource model,
00:04
this person is going to oversee and
00:04
evaluate that outsourcer's work
00:04
which we were just talking about.
00:04
All other models generally have
00:04
a team manager and one or more
00:04
>> deputies who are going to
00:04
>> assume authority in the absence
00:04
of that managing director.
00:04
Managers typically perform a variety of tasks
00:04
including acting as a liaison with upper management,
00:04
and other teams and organizations.
00:04
They diffuse crisis situations and they
00:04
ensure that the team has the necessary personnel,
00:04
resources, and skills.
00:04
It's likely that the manager may not
00:04
even start responding to incidents,
00:04
but he's going to be that one who directs resources
00:04
and your personnel in order to
00:04
>> respond to that incident.
00:04
>> Managers should be technically
00:04
adept and have excellent communication skills,
00:04
particularly an ability to
00:04
communicate to a range of audiences.
00:04
You have to consider who that
00:04
manager's going to be talking to you.
00:04
He may be talking to someone who
00:04
is very technically proficient.
00:04
He may need to know those details,
00:04
but he may have to translate that to maybe a CEO
00:04
who may not have
00:04
the technical knowledge that that manager have.
00:04
Managers are ultimately responsible for
00:04
ensuring that incident response activities
00:04
are performed properly.
00:04
The next row we would have in the policy is going to be
00:04
your incident response lead and
00:04
members of your incident response team.
00:04
In addition to the team manager and the deputy,
00:04
some teams also have a technical lead or
00:04
a person who has strong technical skills and
00:04
incident response experience who's
00:04
going to assume oversight and
00:04
the final responsibility for
00:04
the final quality of the team's technical work.
00:04
The position of the technical lead should not be
00:04
confused with position of the incident lead.
00:04
Larger teams often assign
00:04
an incident lead as the primary POC for handling
00:04
certain incidents or specific incident and
00:04
the incident lead is held
00:04
accountable for the incident's handling.
00:04
Depending on the size of
00:04
the incident response team and
00:04
the magnitude of the incident,
00:04
the incident lead may not
00:04
actually perform the actual incident handling,
00:04
but rather coordinate the handlers activities,
00:04
gather information from the handlers and provide
00:04
incident response updates to
00:04
the group and ensure that the teams needs are met.
00:04
Members of the incident response team should have
00:04
excellent technical skills such as
00:04
>> system administration,
00:04
>> network administration, programming,
00:04
technical support, or intrusion detection.
00:04
Every team member should have good problem
00:04
solving skills and critical thinking abilities.
00:04
It's pretty common in some of
00:04
these incident response team
00:04
>> configurations to maybe have
00:04
>> a rotational basis of who's going to be
00:04
the technical lead or
00:04
the incident response lead for that day,
00:04
that week or that month.
00:04
What that does is it that's going to help
00:04
provide the ability for the team to
00:04
have crossover so that
00:04
individuals know how to
00:04
perform the certain functions and task.
00:04
If somebody happens to be out of work
00:04
or they happened to change jobs or get sick.
00:04
It helps that team function better
00:04
that way everyone knows exactly what's going on,
00:04
what's expected of those roles.
00:04
Moving on, we have incident
00:04
>> response inter-dependencies.
00:04
>> Management is going to be one of
00:04
the first inter-dependencies that
00:04
your team is going to have.
00:04
Management is going to establish the policy,
00:04
budget and the staffing for the teams.
00:04
Ultimately management is going
00:04
>> to be held responsible for
00:04
>> coordinating incident response
00:04
among the various stakeholders,
00:04
minimizing damage and reporting to Congress,
00:04
OMB, the GAO,
00:04
if you happen to be a government agency,
00:04
or maybe they're going to have to report to
00:04
shareholders or the CEO or CIO.
00:04
It's all going to depend on how
00:04
>> your organization works,
00:04
>> but ultimately your management is going to be
00:04
responsible for reporting to
00:04
>> those higher-level entities.
00:04
>> Another inter-dependency that you're going
00:04
to have is information assurance.
00:04
Information security staff members may need to
00:04
be involved in certain stages
00:04
of the incident handling process,
00:04
so prevention, containment, eradication and recovery.
00:04
For example, to offer network security controls,
00:04
firewalls, and rule sets.
00:04
It may extend over into your IA staff if you don't have
00:04
one of those individuals
00:04
on your incident response team to begin what.
00:04
IT support is going to be another inter-dependency.
00:04
IT technical experts, for example,
00:04
system and network administrators,
00:04
not only have the needed skills to assess,
00:04
but also usually have the best understanding
00:04
of the technology they manage on a daily basis.
00:04
This understanding can ensure that
00:04
the appropriate actions are
00:04
taken for the affected systems,
00:04
such as whether to disconnect an attacked system.
00:04
The next inter-dependency that you might
00:04
have is going to be the legal department.
00:04
Legal experts should review incident response plans,
00:04
policies and procedures to ensure
00:04
the compliance with law,
00:04
federal guidance, the right to privacy,
00:04
maybe your policy within your department,
00:04
regardless, the lawyers are
00:04
going to have to be involved to
00:04
make sure everyone is legally covered and protected.
00:04
In addition, the guidance of
00:04
your general counsel or legal department should be
00:04
sought if there's a reason to believe that
00:04
an incident may have legal ramifications,
00:04
including evidence collection,
00:04
prosecution of a suspect or a lawsuit,
00:04
or if there may be a need for some type
00:04
of memorandum of understanding or other
00:04
binding agreements involving liability
00:04
of limitations for information sharing.
00:04
Generally, if you've got some type of
00:04
legal question or legal requirement,
00:04
you're going to have to involve lawyers,
00:04
which we'll get into a little bit later
00:04
in our legal discussion.
00:04
Inter-dependencies, continued,
00:04
public affairs and media relations.
00:04
We've already hinted on that.
00:04
Depending on the nature and the impact of an incident,
00:04
a need may arise to inform
00:04
the media and by extension the public.
00:04
Again, after you've had that Target data breach
00:04
or the Sony hack,
00:04
you may end up having to inform
00:04
your customers about that incident.
00:04
Getting those public affairs and
00:04
media relations people involved is very important.
00:04
Human resources is another inter-dependency
00:04
that incident response teams
00:04
>> may have to coordinate with.
00:04
>> If an employee is suspected of causing an incident,
00:04
the human resources department may have
00:04
to get involved or essentially
00:04
assisting with disciplinary proceedings or
00:04
fighting input about that point.
00:04
Also, your business continuity planning department.
00:04
They may also have to be involved.
00:04
Organizations should
00:04
ensure that incident response policies
00:04
and procedures and business
00:04
continuity planning processes are in sync.
00:04
If your server is attacked,
00:04
maybe your PCP team is going to have to get involved
00:04
in order to transition to a different server.
00:04
Computer security incidents undermine
00:04
the business resilience of an organization.
00:04
Businesses continue, our continuity
00:04
planning professionals should be made aware of
00:04
incidence and their impacts so they can fine
00:04
tune the business impact assessments,
00:04
risk assessments, and continuity of operations plans.
00:04
Further, because businesses continuity planners have
00:04
extensive experience in minimizing
00:04
operational disruption during severe circumstances,
00:04
they may have that valuable information
00:04
that can help the team remediate
00:04
those incidents and get
00:04
back to normal operating procedures.
00:04
An example of that could be a denial of service.
00:04
The next inter-dependency that you might experience
00:04
is physical security and facilities management.
00:04
Some incidents occur through breaches of
00:04
physical security and
00:04
not necessarily technical security,
00:04
or they may involve coordinated
00:04
logical, and physical attacks.
00:04
The incident response team may
00:04
also need access to facilities during
00:04
their response and will also need to secure
00:04
an area to store the recovered data and/or artifacts.
Up Next