Presentation is loading. Please wait.

Presentation is loading. Please wait.

INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.

Published byBerenice Page Modified over 9 years ago

Similar presentations

Presentation on theme: "INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435."— Presentation transcript:

1 INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435

2 Incident Response: The Need Due to an increase in the number of threats to networks both internally and externally there is a need not only for the detection of breaches but a prompt response to such events. In order to help safeguard our organization’s data and the privacy of our clients an Incident Response plan will be implemented based on the NIST Computer Security Incident Handling Guide (SP 800-61)

3 Management Commitment In order for an Incident Response plan to be of use we will need to have the commitment, coopoeration, and support of the various heads of management. This will require the overall idea to be discussed among those managers and their agreement. Management Commitment In order for an Incident Response plan to be of use we will need to have the commitment, coopoeration, and support of the various heads of management. This will require the overall idea to be discussed among those managers and their agreement. Managers Involved CEO COO CAO CIO Second Level Managers Managers Involved CEO COO CAO CIO Second Level Managers INCIDENT RESPONSE: Policy Development

4 Step 1 Step 2Step 3Step 4Step 5Step 6 Establish Team for development of Incident Response Plan (IRP) Define scope of policy and Organizational Structure of IRT. Prioritize the severity of different incidents Create Standard Operating Procedures (SOP’s) Test SOP’s in various scenarios for soundness. Roll out final Incident Response Plan. Define roles of team members. Define what constitutes a security incident. Identify third parties requiring contact. Review tests and change SOP’s as needed. Begin Selection of IRT Members. Establish timetable for completion. Review NIST SP 800-61 Develop drafts of reporting and contact forms. Develop Performance Measurements. Review final draft with appropriate Management Begin Training for members of IRT. INCIDENT RESPONSE: Process of Development Develop Audit procedures for IRP.

5 Internal Team Model INCIDENT RESPONSE: Basic Model Selection Due to the size of the organization combined with the sensitive nature of the information that is being protected it will be best to use a fully internal team consisting of employees. Central Incident Response Team Currently the structure of the organization does not create the need for more than one response team. However, furture expansion may mean converting this model to that of Distributed Incident Response Teams.

6 Public Relations Liaison Upper Management IT Liaison Incident Response Team Lead Technical Lead Support Staff INCIDENT RESPONSE: Suggested Basic Team Structure

7 The following departments will designate a liaison to work with the IRT when needed. Legal Department Human Resources Facilities Management IT Central Support The following departments will designate a liaison to work with the IRT when needed. Legal Department Human Resources Facilities Management IT Central Support INCIDENT RESPONSE: Interdepartmental Dependencies

8 Intrusion Detection The monitoring and detection portion of network security is handled by a group that falls under both IRT and IT. The members that work on intrusion detection are under the management of IT, but their services and direction fall under the IRT. Advisory Distribution Should our organization reach the size where destributed incident response teams are used the notification about new threats and vulnerabilities to the other teams (and appropriate personel) will become part of the standard operating procedures. Education and Awareness The IRT will contribute to the training and awareness of the organization’s users in order to proactively combat some of the simpler avenues of attack. INCIDENT RESPONSE: IRT Services

9 Incident Response Team Customers, Constituents, & Media Internet Service Providers Software & Support Vendors Trustwave: Spider Labs Incident Response Statistics Law Inforcement Agencies INCIDENT RESPONSE: Third Party Contacts

10 Detection Preparation Review Containment Post-Activity INCIDENT RESPONSE: Proposed IRT Cycle Review Analyze effectiveness of response. Preparation Internal checks and training. Detection Proactive or Reactive defense. Containment Eradication and Recovery. Post-Incident Activity Contacting Third Parties and Press Release if needed..

11 Network Security Group Monitoring for events and informing the IRT when one occurs. Network Security Group Monitoring for events and informing the IRT when one occurs. Internal Audit Assumes control after IRT cycle and reviews to ensure completion. Internal Audit Assumes control after IRT cycle and reviews to ensure completion. Incident Response Team Assumes control of Incident and directs efforts until completion of IRT cycle. INCIDENT RESPONSE: Interdepartmental Exchange of Control

12 Current Status of the Incident Upon completion of the IRT Cycle this documentation should cover the current state of the incident and any remaining problems or suggestions. Incident Summary This documentations should summarize the incident in question from its detection to final analysis. All actions taken by the Incident Response Team In order to keep track of changes and for reference purposes any and all changes/actions taken by the IRT should be documented. Impact Assessment An analysis of the overall impact (financial, reputation, etc…) should be included as documentation for reference and legal purposes. Cycle Summary A shortened summary of the important details of the IRT cycle should be documented for reference purposes. INCIDENT RESPONSE: Documentation

13 In instances of local disturbances, physical break-ins and incidents caused by employees the findings will be turned over to local police and charges filed should it be decided that it is warranted by the legal department. Local Police In instances of computer crime that does not leave the boundaries of the state of South Carolina the South Carolina Law Enforcement Division will be notified and brought into the investigation if deemed nescisary by the legal department. S.L.E.D. INCIDENT RESPONSE: Law Enforcement Involvement In instances of computer crime that cross state lines or if it involves the breaking of Federal law the Federal Bureauof Investigation will be notified and brought into the investigation if deemed nescisary by the legal department. F.B.I.

14 In certain cases a security incident may require some kind of statement or media publication. In order to best protect our organization no one outside the public relations department (Senior Level Management excluded) is authorized to represent the company in any form of media. The IRT will coordinate with the PR, legal, and other necessary departments to create any press and/or media releases. INCIDENT RESPONSE: Media Involvement

15 Incident Response: References Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, January 31). Computer Security Division - Publications: Drafts. Retrieved June 9, 2012, from National Institute of Standards and Technology: http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800- 61rev2.pdf Henderson, C. (2011). Retrieved June 9, 2012, from Build Security In: https://buildsecurityin.us- cert.gov/swa/presentations_032011/CharlesHenderson- 2011GlobalSecurityStatsAndTrends.pdf

Download ppt "INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435."

Similar presentations

Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Freedom of Information Act 2000 and the PCT Audit Procedure Background: The Act was passed in November 2000. The Act will be fully in force by January.

Freedom of Information Act 2000 and the PCT Audit Procedure Background: The Act was passed in November The Act will be fully in force by January.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer

Information Systems Security Officer
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network security policy: best practices

Network security policy: best practices
Implementing Disaster Recovery Plans

Implementing Disaster Recovery Plans
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Planning for Continuity

Planning for Continuity
Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.

Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
OSIAM4HE Proposed org structure Authored by the strategy and organization team.

OSIAM4HE Proposed org structure Authored by the strategy and organization team.

Similar presentations

Ads by Google