Getting Cyber-Prepared

• F.B.I. Los Angeles: (310) 477-6565
• Secret Service: (213) 894-4830
• Los Angeles County District Attorney’s Office: (213) 974-3512.   Identity Theft
• Los Angeles County Sheriff’s Office: Consumer Guide to Preventing Identity Theft (National Crime Prevention Council)
• Orange County Sheriff’s Department: Scams
• Orange County Sheriff’s Department: Identity Theft
• FBI Internet Crime Complaint Center (IC3)

The objectives of incident response are to:

1. Verify that an incident occurred or document that one has not
2. Maintain or restore business continuity while reducing the incident impact
3. Identify the causes of the incident
4. Minimize the impact of future incidents
5. Improve security and the incident response planning function
6. Prosecute illegal activity
7. Keep management, staff and appropriate clients informed of the situation and response
8. Apply lessons learned to improve the process

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

 

The plan should contain the following information necessary to maintain or resume operations and respond to an information security incident:

1. Names, roles and contact information for the Incident Response Team (IRT), staff, vendors (including vendors needed to respond to an incident), and key clients
2. Regulatory, contractual and compliance requirements
3. An overview of critical business functions, criticality of those functions, and resources needed to maintain or resume operations
4. Recovery procedures for various scenarios
5. An inventory of all hardware needed for the Organization business operations, including servers, workstations, laptops, printers, faxes, cell phones, firewalls, routers, switches, wireless access points, etc.
6. An inventory of all software needed for the Organization business operations, including workstation software and on-line software (SaaS)
7. An inventory of all connectivity required, including Internet, telecommunications and wide area networks (WANs)
8. An inventory of critical IT documents
9. Location of all critical business information, including back-ups and shared folders
10. Location of passwords and encryption keys
11. An inventory of vital business records

The consolidated plan documents high-level procedures to follow in the event of a suspected security incident.

The plan also documents operational workarounds in the event of an information continuity disruption to the Organization’s business operations.

The plan documents how employees will communicate, from where they will work, and how they will keep working in the event of:

1. Physical disruptions
2. Telecommunications disruptions
3. Disruptions to hardware / software
4. Unavailability of key personnel

 

Contributed by Citadel Information Group.
© Copyright 2017. Citadel Information Group. All Rights Reserved.

 

Information Security Manager (ISM)

The Information Security Manager (ISM) is responsible for maintaining the confidentiality, integrity, and availability of the Organization’s business information. As such, the ISM has senior-level responsibility for the incident response plan.

If an incident has the potential to compromise or disrupt confidentiality, integrity or availability, the ISM has the authority to declare it an incident requiring activation of this plan, as well as the authority to suspend the plan or announce the end of the incident and return to normal operations.

In the absence of the ISM, authority passes to the chief executive or designee (i.e. Leader Alternate).

Incident Response Team (IRT)

The Incident Response Team (IRT) is responsible for working with the ISM to manage recovery from an information security incident or disruption in accordance with this plan.

The ISM will convene the Incident Response Team if n the event of an information disruption or information security incident.

The following people, at a minimum, named in the Incident Response Team worksheet of Incident-response-management-lists.xls, constitute the Incident Response Team (IRT):

1. The Organization’s Information Security Manager (ISM)
2. A representative from the Organization’s executive team
3. The Organization’s CIO, IT Director and/or IT Vendor
4. The Organization’s information security consultant
5. Other individuals, perhaps including in-house or external counsel

The Information Security Manager (ISM) is the Team Lead and serves as the main point of contact for all parties involved in the incident response.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

The Five Incident Response Phases

1. Plan and Prepare
2. Detect and Report
3. Assess and Decide
4. Respond
5. Lessons Learned

Plan and Prepare

As part of the planning and preparation process, the Organization needs to maintain documentation on the following.

1. Business Impact Analysis
2. Disaster Recovery and Restore procedures
3. Business Staff Resources
4. Information backups and images
5. Offsite Preparedness
6. Telecommunications Preparedness
7. Power / HVAC and other Physical Preparedness
8. Critical Continuity Documentation
9. Incident Handling Communications
10. Incident Analysis Hardware and Software
11. Incident Analysis Resources

 

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Initiation of this plan occurs upon the observation of an event that might have information security or business continuity implications. Examples include:

1. A discontinuity or outage or other event impacting a facility, staff, or IT resources
2. A user experiencing a problem with his/her workstation
3. IT may discover a problem
4. Antivirus alert or other IT intrusion detection system alert
5. Physical security staff report an incident
6. A client or business partner notifies IT of an outage or potential security issue
7. A manager reports an outage or potential security issue
8. An outside source reports an outage or potential security issue
9. The discovery of a fraudulent online transaction, financial or otherwise
10. A fraudulent online request by a vendor to change payment instructions

Anyone observing an event that might have information security or business continuity implications is to immediately notify the ISM.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.