Information Security Management ResourceKit

A Public Service of SecureTheVillage

Getting Cyber-Prepared: Incident Response & Business Continuity

SecureTheVillage Webinar: Getting Cyber-Prepared: Incident Response & Business Continuity

Webinar: Getting Cyber-Prepared: Incident Response & Business Continuity

Webinar Deck (PDF): Getting Cyber-Prepared: Incident Response & Business Continuity

November 8, 2018: Stan’s Guests:
Brad Maryman (FBI Retired), President, Maryman and Associates
Patrick Fraioli, Esq., Managing Director, MRM Capital Holdings

SecureTheVillage Webinar: Securing the Network—Lessons Learned From Cyber Investigations

Webinar: Securing the Network—Lessons Learned From Cyber Investigations

Webinar Deck (PDF): Securing the Network-Lessons Learned From Cyber Investigations

October 4, 2019: Stan’s Guest:
Joe Greenfield, Managing Director and Chief Forensic Examiner, Maryman & Associates, Associate Professor, USC Viterbi

ResourceKit Articles

  • Contacting Law Enforcement - F.B.I. Los Angeles: (310) 477-6565 Secret Service: (213) 894-4830 Los Angeles County District Attorney’s Office: (213) 974-3512.   Identity Theft Los Angeles County Sheriff’s Office: Consumer Guide to Preventing Identity Theft (National Crime Prevention Council) Orange County Sheriff’s Department: Scams Orange County Sheriff’s Department: Identity Theft FBI Internet Crime Complaint Center (IC3)
  • Incident Response Objectives - The objectives of incident response are to: Verify that an incident occurred or document that one has not Maintain or restore business continuity while reducing the incident impact Identify the causes of the incident Minimize the impact of future incidents Improve security and the incident response planning function Prosecute illegal activity Keep management, staff and […]
  • Incident Response Plan Components - The plan should contain the following information necessary to maintain or resume operations and respond to an information security incident: Names, roles and contact information for the Incident Response Team (IRT), staff, vendors (including vendors needed to respond to an incident), and key clients Regulatory, contractual and compliance requirements An overview of critical business functions, […]
  • Incident Response Management and the Incident Response Team - Information Security Manager (ISM) The Information Security Manager (ISM) is responsible for maintaining the confidentiality, integrity, and availability of the Organization’s business information. As such, the ISM has senior-level responsibility for the incident response plan. If an incident has the potential to compromise or disrupt confidentiality, integrity or availability, the ISM has the authority to […]
  • Incident Response Phases; Plan & Prepare - The Five Incident Response Phases Plan and Prepare Detect and Report Assess and Decide Respond Lessons Learned Plan and Prepare As part of the planning and preparation process, the Organization needs to maintain documentation on the following. Business Impact Analysis Disaster Recovery and Restore procedures Business Staff Resources Information backups and images Offsite Preparedness Telecommunications […]
  • Initial Event Detection and Plan Initiation - Initiation of this plan occurs upon the observation of an event that might have information security or business continuity implications. Examples include: A discontinuity or outage or other event impacting a facility, staff, or IT resources A user experiencing a problem with his/her workstation IT may discover a problem Antivirus alert or other IT intrusion […]
  • Initial Decision Making - The IRT will meet and assess the situation to determine the proper response. Things it will consider include: Is the incident real or perceived? Is the incident still in progress? Is the incident security-related, information discontinuity, or both? What data or property is threatened and how critical is it? What key business processes are impacted? […]
  • Initial Emergency Actions to Assure Preservation of Evidence - Should the event have information security implications, care must be taken to ensure that available evidence is preserved. This requires leaving the computing device in the same state as it was when the event was observed. In particular it means that, as a general rule: Leave the computing device powered on [1] Leave the computing […]
  • Responding to an Incident - In the event of a security or privacy incident, the IRT’s response strategy will manage the following: What needs to be done to contain the incident and prevent the attack from spreading? How do we prevent the attack from re-occurring? Will the response alert the attacker and do we care? What needs to be documented […]
  • Lessons Learned - Following restoration of services, the IRT will determine the root cause of the incident and take appropriate steps to minimize the likelihood of the incident happening again. Determine how the event happened (in the case of a security incident, determine the source of the intrusion, e.g., email, inadequate training, attack through a firewall port, attack […]