You may be thinking "we don't have an incident response plan." If so, don't feel bad - you are not alone. Many organizations barely have any semblance of a disaster recovery plan much less formal incident response procedures. Interestingly, I had two recent conversations with business colleagues about incident response. One person is well-versed in disaster recovery and business continuity and the other in IT compliance.
Get With IT Incident Response • Bank storage bins containing paper waiting to be shredded were stolen, re- sulting in the exposure of countless sensi- tive customer records. The biggest security gaffe of all? • A hacker gained access to the credit card transaction communications stream between a pub and its credit card process- By Kevin Beaver, CISSP ing company, resulting in credit card num- ber exposure and subsequent illegal usage F rom ﬁrewalls, to passwords, to encryp- for someone’s ill-gotten gains. tion on one hand, to PCI DSS, ISO • Conﬁdential information on 4,500 stu- 27002 and SAS70 audits on the other, dents was posted on a publicly-accessible we often assume that all is well in IT area of a university’s Web site for months, as long as we have covered the secu- resulting in life-long exposure of personal rity and compliance basics. The general percep- information. tion is that the businesses suffering losses result- How would your organization handle these ing from security breaches are run by people who situations? Do you have procedures in place do not follow such practices. to respond rather than react? Do key people It is one thing to be proactive, but you still involved understand their roles and their re- have to prepare for the reactive side of security sponsibilities? Does management realize that — for the things you have overlooked. most states have breach notiﬁcation laws, If your business were to experience a hack at- requiring businesses to contact customers tack or some type of data breach, do you feel con- when a breach has occurred or is suspected? ﬁdent that everything would be taken in stride? Security incidents can result from tech- Would your incident response team swoop in on the scene to stop the bleeding? What nical weaknesses in computer system about your customer service personnel — are they prepared to handle the ensuing ﬂood conﬁgurations and poorly-written Web ap- of phone calls? Will your PR team be able to stand in front of a television camera and plications. Operational weaknesses, such provide sound answers to the media ferrets’ questions? You can throw all the best security as improper system maintenance, lack of controls in the world at your information systems, but it is virtually guaranteed that there training and poor change management are is something, somewhere, waiting to be exploited. What is your response plan? worthy contributors as well. The reality is You may be thinking “we don’t have an incident response plan.” If so, don’t feel bad — yo
Pages to are hidden for
"Incident Response"Please download to view full document