Wed Nov 26 09:45:09 PST 2014

Incidents: Response: Who should control and execute responses to information-related attacks?


Options:

Incident response processes are controlled by {a designated team, different people for different situations as defined by policies, the individual first encountering it} through {a defined workflow process, a process defined by policy but not codified in work flow systems, an ad-hoc process, however the responders deem appropriate} engaging {internal workers only, outside technical assistance, outside private investigative assistance, law enforcement, outside counsel, outside public relations}.

Decision:

IF an incident response plan is in place with central management, THEN the process should be controlled by a designated team,
OTHERWISE IF policy defined an individual or titled position responsible for incident handling, THEN the process should be controlled by policy-defined individual(s),
OTHERWISE the process should be controlled by the individual first encountering the incident.
IF the enterprise is at managed maturity or above, THEN the process should be managed through a defined workflow process,
OTHERWISE IF policy defined a process for incident handling, THEN the process should be managed through a process defined by policy but not codified in work flow,
OTHERWISE IF defined individuals with expertise are managing the process, THEN the process should be managed through an ad-hoc process,
OTHERWISE the process should be managed however the responders deem appropriate
Pick all that apply based on the situation.
IF the incident is not believed to involve insiders involved in the incident handling process, THEN the enterprise should engage internal workers.
IF inadequate expertise, available time, or independence exists at a technical level, THEN the enterprise should engage outside technical assistance,
IF internal investigative expertise is inadequate and an investigative process is required, THEN the enterprise should engage outside private investigative assistance,
IF a crime has been committed and criminal action is to be pursued, THEN the enterprise should engage law enforcement,
IF if the incident involves a substantial legal issue and internal legal expertise or time is not available for the situation, THEN the enterprise should engage outside counsel.
IF if the incident involves a substantial public relations issue, THEN the enterprise should engage outside public relations professional(s).

Basis:

The process should be controlled by a designated team:
Typically incident response teams start with an internal security operations center team and, if the incident exceeds identified thresholds, the process is escalated to an appropriate management level. There are usually no more than three levels of escalation involved; (1) reporting to the help desk or similar function, or in the case of a personnel initiated incident, through the HR department or appropriate management chain, (2) triage to determine that it is a security-related incident and routing to physical security, information security, legal, or HR department to lead the effort, as appropriate to the situation, and (3) escalation to top management if the magnitude of the situation warrants further attention. Within each of these functions, additional process and team efforts may be applied, including calling in other individuals as needed from other teams, depending on the nature of the incident.

The process should be controlled by policy-defined individual(s):
In some cases, policy defined an individual responsible for incident handling. This is typically the CISO or other Information Protection Lead (IP Lead) for anything related to information protection. The Lead then manages the incident handling process appropriate to the need. Typically, the IP Lead will create teams such as those identified in the above process, be depending on the size and nature of the organization, other structures may be used.

The process should be controlled by the individual first encountering the incident.
When nothing else is defined, whoever identifies something as an "incident" will likely proceed in their own way to deal with it or not as they see fit. While this is not normally advised, it is de-facto what happens when nothing else is put in place to systematically manage the process.


The process should be managed through a defined workflow process.
A defined workflow process is generally in place for any enterprise of managed or higher maturity. The workflow process may involve automation, such as help desk ticketing systems or other similar mechanisms, and may also involve manual processes like checklists or other standard approaches that are known to workers. Generally, these processes are documented if the enterprise operates at the managed level or above.

The process should be managed through a process defined by policy but not codified in work flow
In cases where the enterprise has defined processes, but does not have a workflow mechanism or has yet to codify incident response in terms of such a system, the policy-defined process should be used. This is most often the case in an enterprise operating at the defined maturity level, but that has not yet, or does not with to operate at the managed maturity level or above.

The process should be managed through an ad-hoc process:
In enterprises operating below the "defined" level of maturity, or for situations in which no defined process exists because of novelty or incompleteness of the defined processes, an ad-hoc process is necessary, but it should follow other aspects of enterprise process. This should be done at the repeatable maturity level and definitions and process updated to adapt for future incidents of similar types.

The process should be managed however the responders deem appropriate
In cases where there is little or no definition of process and the enterprise is operating at the initial or repeatable maturity level only, whoever is responding to an incident will do whatever they do.


The enterprise should engage internal workers.
Enterprise employees or other internal workers are generally used in incident response when a sufficient internal capability is in place because there are sufficient incidents to warrant such a team; or in cases when the issues are so sensitive that external workers would be unacceptable for one reason or another. Internal workers tend to know a lot more about how internal systems operate, especially when custom infrastructure, applications, or configurations are in use. They also tend to be intimately involved with day-to-day issues and better understand the enterprise and how it works.

The enterprise should engage outside technical assistance
Outside technical assistance is often required in incident handling when internal teams don't handle a lot of incidents and therefore don't have the knowledge and experience in handling them well, or when specialized knowledge or additional personnel are required, or less often, in cases when there are legal issues or the potential that insiders are involved, mandating external expertise be used. Many companies outsource standard network intrusion processes to other companies that specialize in this area, but use internal experts for platform intrusions or special cases.

The enterprise should engage outside private investigative assistance.
Whenever hunting down people or seeking the source of an incident, rather than just dealing with repair of affected mechanisms and restoration of utility, an investigative process is required. Unless adequate internal investigation expertise is in hand and independent of the incident, outside private investigations are required. Generally, when an insider is suspected and the incident is serious, an outside expert is called in, if only to augment internal teams.

The enterprise should engage law enforcement.
When a crime has been committed, especially when there is a threat to personal safety: involving law enforcement is vital. Failure to call law enforcement for certain types of matters may result in legal liabilities. For example: if a threat to health and safety is made via computers and it appears to be serious: private detectives may be the first call: but if such cases escalate, law enforcement is critical. If there is internal criminal activity: not calling law enforcement may turn decision makers into accessories after the fact and expose corporate officers to civil and criminal liability. For certain classes of crime: reporting to regulatory agencies may also be mandatory. As a rule. it is important to have thought through the possibilities in advance and to have a policy about when to call law enforcement. If this sort of decision has to be made in real time: errors can be very costly.

The enterprise should engage outside counsel.
Whenever legal issues arise and internal legal expertise is either not staffed to the level required to manage such matters or doesn't have the specific legal expertise required to handle the case, outside counsel should be brought in. Outside counsel is also used in cases involving top executives because of the potential conflicts of interest and potential for attempts to influence inside counsel or have the perception of such attempts.

The enterprise should engage outside public relations.
Whenever public relations issues arise and internal expertise is either not staffed to the level required to manage such matters or doesn't have the specific public relations expertise required to handle the case, outside public relations experts should be brought in. Outside public relations is also used in cases involving public disclosures or top executives because of the potential high consequences associated with brand.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved