5 hours 19 minutes
lesson 1.3 Stakeholders Governance and executive buy in
for this lesson. We're going to look at three things. First is the level of administrative access incident handlers may need in order to be successful.
Secondly, identify the common Stakeholders Oven IR program and third, understand the importance of having strong policy an executive engagement for the I. R team.
These were all critically important not on the technical side, but certainly things that you want to have nailed for your i r. Team.
So team access. This is one area that I have had to battle a couple times in my past, and I walk you through a couple things to consider in a few things that I've done first, what privileges and privileged accounts dizzy I, our team need to be successful.
Does the I R team need to have the ability to poll CONFIG files from routers and switches, for example, should they be able to see
the firewall? But in a read only manner, should they be able to administer the er tool back and or is that something I t needs to dio? These are all questions that need to answer,
but in order for the I R team to be successful, they do need to have access to the things that are important for them.
What will the policy before use of elevated privileges hopefully use different naming conventions for elevated accounts and have a least privileged requirement and policy in place? Maybe your advanced enough. We have just in time administrative credentials that air produced by a vault, and then they change afterward.
I don't know what your organization may have available to you, but you definitely want to figure this out on the front end.
And then also, what are some of the systems and applications that your I R team may need to have access to? I mentioned network devices already, but are their databases or applications that have separate Loggins that they may need to have access to? Maybe you've got
E. R. P tools that have all the P I and the information about the employees and things that they have.
I need to see whether or not that was accessed inappropriately. So those are other things, especially if you don't have single sign on, and they might have to have applications specific credentials. You want to figure that out also
and then just as importantly, And this is where you get a lot of pushback from people as well. If we give your team all of this information, how do we know they're doing the right thing? And it is a valid point? So who's watching the watchers is where this comes down to, and you do wanna have some tools to be able to see how the I R team is using their credentials,
not because you don't trust them, but it's more of a transparency and a
showing that you are on the up and up and that you want to make sure everybody can see what your team is doing because you are watching the rest of the enterprise. So what I had done in the past, as I had Splunk rules that showed all the activities incident responders had done, and it was very easy to pull that up and review it at any time.
The stakeholders that we see for IR are commonly shown here on the screen, so certainly the chief executive officer, whatever that person's title maybe could be CEO could be program manager, could be chief, I don't know with your organization, but you want to make sure that they are in the loop of what's going on with I art.
Human Resource is certainly plays a big part of this, that there is a great opportunity for a partnership between
I R and H R to come together, especially on the insider threats and being able to disable accounts that people don't need any more promotions, demotions, how those might affect access to data. So having this partnerships critically important,
of course, I t cybersecurity wouldn't exist if I t wasn't in an organization for the for the most part. So you need to have a good, solid partnership with I t. We'll talk a lot more about this later on in the course the board of directors, if you have one. Hopefully, the Sissoko or the person that has responsibility for cybersecurity
gets in front of the board occasionally to talk through things. Also, customers and clients are certainly a stakeholder. Legal is another important partnership. Tohave
publications, communications, public affairs. These individuals can be very helpful for a number of reasons. One getting the word out about security enhancements and risks, but also in the event of an incident. You're going to want to have these people available to you and then auditors.
It's not always people's favorite group of individuals, but actually auditors can really be your advocate and also be a huge help to an IR program to help highlight things. If you know you're lacking funding or tools or equipment or people,
auditors can help you paint that story from a risk perspective, and they commonly have
very high visibility and what they come up with.
So the policy and the executive engagement is absolutely required from an incident response standpoint. So you do want to have a written policy in place that
advises the enterprise about the I R team and what the i R. Teams, roles and responsibilities and authority is. So a couple of things that should be in that policy include
any logs that are generated must be forwarded to the SIM tool period. New software being developed by internal organizations also has to have the ability to generate logs. This is another good example. I used to have software developers that worked for me that would do great software, but they weren't security people, so they would never think about
the logging that we may need from an IR perspective.
Tohave. So having that interface between your Dev Ops team or your agile developers or whatever developers that you may have is going to be very important, but also having it in policy.
Agents shall be installed on systems for continuous monitoring as prescribed by security. You can get some push back on this, and we'll walk through this again later. But you should have a policy that covers this. And then, finally,
anybody who puts an internal firewall or other mechanisms that blocks cyber securities ability to Amman Monitor detect respond to recover from an incident
has got to go, and you will find this in large organizations from Shadow I T organizations. And you need to have executive level sponsorship to help you get rid of those barriers.
And you'll want to frame this in a risk perspective, not just because you want to have the ability to see everything, but it does provide an opportunity for organizations to be compromised and cybersecurity, not know about it.
A few other things. You will see pushback on these. As you get more mature, you start monitoring Mawr and you put policies out like this, a lot of shadow I t organizations, particularly in businesses and agencies that have long done their own thing, are not going to be real happy about cybersecurity, increasing their structure and their rigor.
So be prepared for that.
Executive leadership really needs to understand the business and the mission. Reason why you're doing what you're doing. And this takes a special person that can communicate cybersecurity at an executive level. There's a lot of cybersecurity, folks that are excellent at security,
not so much on communicating toe higher level folks. So
I'll give you some tips for this. But you do want to find somebody. And hopefully the whoever leads cybersecurity has some business acumen that can use those skills to articulate these things to leadership
and then stakeholder engagement is really required to ensure that agents and activities do not cause unreasonable business or mission impact. So
if you deploy a new agent, all the systems to monitor something and you start getting feedback that it's slowing things down or it's causing conflicts,
that's clearly a priority that needs to be looked at so you won't have that given take in that relationship that you can talk to people and then also understand the legal requirements. Maybe you have a requirement, an absolute requirement to monitor certain activities, and that is going to mean a particular tool that has to be on those systems,
but making sure that that's articulated and people understand that. And it's not just somebody from cybersecurity saying you need to do this because I told you so
that never gets far in an organization is a quick way to limit your ability to communicate within an organization.
So a couple quick questions on this lesson, what is something that security leadership should take into consideration when giving IR teams elevated privileges?
A. The number of passwords that I, our teams must remember
be who will be monitoring the usage of the I R teams, elevated privileges
or see how long it will take the i R team toe log into a device.
The answer to this is be who will be monitoring the usage of the I R teams. Elevated privileges is definitely something that leadership want needs to take into account when they're developing that next question.
What is an example of a reason to have executive level sponsorship of I. R. A. Shadow I T organizations will push back on additional monitoring and control by security.
Be everyone in the organization love, cybersecurity, and we'll follow all the rules and policies,
or C in case cybersecurity has too much budget and needs to return funds back to the CFO.
Well, on this one, the answer is a. If B and C could only be true. But bottom line is, you will want to have this in policy and sponsorship of executive leadership, because Shadow I T organizations may very well pushback on any attempt to gain additional insights and visibility into what's going on.
In summary for this video, we talked about why it's so important have executive level sponsorship of IR teams. We talked about the importance of having strong policy and executive engagement for the I R team, and then we also identified those typical stakeholders for IR