00:04
>> We're going to transition to
00:04
the people within the incident response team.
00:04
Within that policy, you want to
00:04
have that incident response manager.
00:04
that incidence response manager,
00:04
he's going to be that single employee
00:04
who may have one or more designated alternatives,
00:04
but he should be in charge of
00:04
the overall incident response.
00:04
In your fully outsource model,
00:04
this person is going to oversee and
00:04
evaluate that outsourcer's work
00:04
which we were just talking about.
00:04
All other models generally have
00:04
a team manager and one or more
00:04
>> deputies who are going to
00:04
>> assume authority in the absence
00:04
of that managing director.
00:04
Managers typically perform a variety of tasks
00:04
including acting as a liaison with upper management,
00:04
and other teams and organizations.
00:04
They diffuse crisis situations and they
00:04
ensure that the team has the necessary personnel,
00:04
resources, and skills.
00:04
It's likely that the manager may not
00:04
even start responding to incidents,
00:04
but he's going to be that one who directs resources
00:04
and your personnel in order to
00:04
>> respond to that incident.
00:04
>> Managers should be technically
00:04
adept and have excellent communication skills,
00:04
particularly an ability to
00:04
communicate to a range of audiences.
00:04
You have to consider who that
00:04
manager's going to be talking to you.
00:04
He may be talking to someone who
00:04
is very technically proficient.
00:04
He may need to know those details,
00:04
but he may have to translate that to maybe a CEO
00:04
the technical knowledge that that manager have.
00:04
Managers are ultimately responsible for
00:04
ensuring that incident response activities
00:04
are performed properly.
00:04
The next row we would have in the policy is going to be
00:04
your incident response lead and
00:04
members of your incident response team.
00:04
In addition to the team manager and the deputy,
00:04
some teams also have a technical lead or
00:04
a person who has strong technical skills and
00:04
incident response experience who's
00:04
going to assume oversight and
00:04
the final responsibility for
00:04
the final quality of the team's technical work.
00:04
The position of the technical lead should not be
00:04
confused with position of the incident lead.
00:04
Larger teams often assign
00:04
an incident lead as the primary POC for handling
00:04
certain incidents or specific incident and
00:04
the incident lead is held
00:04
accountable for the incident's handling.
00:04
Depending on the size of
00:04
the incident response team and
00:04
the magnitude of the incident,
00:04
the incident lead may not
00:04
actually perform the actual incident handling,
00:04
but rather coordinate the handlers activities,
00:04
gather information from the handlers and provide
00:04
incident response updates to
00:04
the group and ensure that the teams needs are met.
00:04
Members of the incident response team should have
00:04
excellent technical skills such as
00:04
>> system administration,
00:04
>> network administration, programming,
00:04
technical support, or intrusion detection.
00:04
Every team member should have good problem
00:04
solving skills and critical thinking abilities.
00:04
It's pretty common in some of
00:04
these incident response team
00:04
>> configurations to maybe have
00:04
>> a rotational basis of who's going to be
00:04
the technical lead or
00:04
the incident response lead for that day,
00:04
that week or that month.
00:04
What that does is it that's going to help
00:04
provide the ability for the team to
00:04
have crossover so that
00:04
individuals know how to
00:04
perform the certain functions and task.
00:04
If somebody happens to be out of work
00:04
or they happened to change jobs or get sick.
00:04
It helps that team function better
00:04
that way everyone knows exactly what's going on,
00:04
what's expected of those roles.
00:04
Moving on, we have incident
00:04
>> response inter-dependencies.
00:04
>> Management is going to be one of
00:04
the first inter-dependencies that
00:04
your team is going to have.
00:04
Management is going to establish the policy,
00:04
budget and the staffing for the teams.
00:04
Ultimately management is going
00:04
>> to be held responsible for
00:04
>> coordinating incident response
00:04
among the various stakeholders,
00:04
minimizing damage and reporting to Congress,
00:04
if you happen to be a government agency,
00:04
or maybe they're going to have to report to
00:04
shareholders or the CEO or CIO.
00:04
It's all going to depend on how
00:04
>> your organization works,
00:04
>> but ultimately your management is going to be
00:04
responsible for reporting to
00:04
>> those higher-level entities.
00:04
>> Another inter-dependency that you're going
00:04
to have is information assurance.
00:04
Information security staff members may need to
00:04
be involved in certain stages
00:04
of the incident handling process,
00:04
so prevention, containment, eradication and recovery.
00:04
For example, to offer network security controls,
00:04
firewalls, and rule sets.
00:04
It may extend over into your IA staff if you don't have
00:04
one of those individuals
00:04
on your incident response team to begin what.
00:04
IT support is going to be another inter-dependency.
00:04
IT technical experts, for example,
00:04
system and network administrators,
00:04
not only have the needed skills to assess,
00:04
but also usually have the best understanding
00:04
of the technology they manage on a daily basis.
00:04
This understanding can ensure that
00:04
the appropriate actions are
00:04
taken for the affected systems,
00:04
such as whether to disconnect an attacked system.
00:04
The next inter-dependency that you might
00:04
have is going to be the legal department.
00:04
Legal experts should review incident response plans,
00:04
policies and procedures to ensure
00:04
the compliance with law,
00:04
federal guidance, the right to privacy,
00:04
maybe your policy within your department,
00:04
regardless, the lawyers are
00:04
going to have to be involved to
00:04
make sure everyone is legally covered and protected.
00:04
In addition, the guidance of
00:04
your general counsel or legal department should be
00:04
sought if there's a reason to believe that
00:04
an incident may have legal ramifications,
00:04
including evidence collection,
00:04
prosecution of a suspect or a lawsuit,
00:04
or if there may be a need for some type
00:04
of memorandum of understanding or other
00:04
binding agreements involving liability
00:04
of limitations for information sharing.
00:04
Generally, if you've got some type of
00:04
legal question or legal requirement,
00:04
you're going to have to involve lawyers,
00:04
which we'll get into a little bit later
00:04
in our legal discussion.
00:04
Inter-dependencies, continued,
00:04
public affairs and media relations.
00:04
We've already hinted on that.
00:04
Depending on the nature and the impact of an incident,
00:04
a need may arise to inform
00:04
the media and by extension the public.
00:04
Again, after you've had that Target data breach
00:04
you may end up having to inform
00:04
your customers about that incident.
00:04
Getting those public affairs and
00:04
media relations people involved is very important.
00:04
Human resources is another inter-dependency
00:04
that incident response teams
00:04
>> may have to coordinate with.
00:04
>> If an employee is suspected of causing an incident,
00:04
the human resources department may have
00:04
to get involved or essentially
00:04
assisting with disciplinary proceedings or
00:04
fighting input about that point.
00:04
Also, your business continuity planning department.
00:04
They may also have to be involved.
00:04
Organizations should
00:04
ensure that incident response policies
00:04
and procedures and business
00:04
continuity planning processes are in sync.
00:04
If your server is attacked,
00:04
maybe your PCP team is going to have to get involved
00:04
in order to transition to a different server.
00:04
Computer security incidents undermine
00:04
the business resilience of an organization.
00:04
Businesses continue, our continuity
00:04
planning professionals should be made aware of
00:04
incidence and their impacts so they can fine
00:04
tune the business impact assessments,
00:04
risk assessments, and continuity of operations plans.
00:04
Further, because businesses continuity planners have
00:04
extensive experience in minimizing
00:04
operational disruption during severe circumstances,
00:04
they may have that valuable information
00:04
that can help the team remediate
00:04
those incidents and get
00:04
back to normal operating procedures.
00:04
An example of that could be a denial of service.
00:04
The next inter-dependency that you might experience
00:04
is physical security and facilities management.
00:04
Some incidents occur through breaches of
00:04
physical security and
00:04
not necessarily technical security,
00:04
or they may involve coordinated
00:04
logical, and physical attacks.
00:04
The incident response team may
00:04
also need access to facilities during
00:04
their response and will also need to secure
00:04
an area to store the recovered data and/or artifacts.