Get documents about "Information Security Incident Report - PowerPoint
Description
Information Security Incident Report document sample
Document Sample
Security Incident Response
Eric W. Sinclair, CISSP
Information Security Specialist
Introducing…..Todd Fitzgerald
What is Security Incident
Response?
• Security incident response is the ability
to detect and resolve problems that
threaten people, process, technology
and facilities.
• Resolution of an incident through an
appropriate reaction to, and
containment of, the problem constitutes
security incident response.
What is a SIR Team?
• A Security Incident Response Team
(SIRT) is formed to better address the
dynamic threats against company
systems and to handle security
incidents by centralizing this activity in
one functional unit.
• A more formalized incident response
team can better respond to security
incidents and ensure that the broad
range of issues which arise are fully
coordinated.
Requirements driving SIRT creation
HIPAA
How do I get started?
• Research and utilize well known
resources
– NIST SP800-61
– SANS Institute
– CERT
– Department of Homeland Security
– NSA
! CAUTION!! !
• Tailor best practices to your
organization!
• Don’t change your organization to
meet a best practice!
Define “Incident”
• An incident can be thought of as a
violation or imminent threat of
violation of computer security
policies, acceptable use policies, or
standard security practices.
NIST SP800-61
Your Definition of “Incident”
• The term “security incident” is
defined as the act of non-
compliance with the security policy,
procedure, or a core security
requirement that impacts the
confidentiality, integrity and
availability of health information.
UGS SIRT Manual
Define SIRT terms
• Event – observable occurrence
• Adverse event – negative consequence
• Event Indicators – sources of detection
• Incident examples – types of adverse events in
YOUR Organization
Security Pros:
Present a
draft to your
members!
Management
Create policies
Compliance
IT Company Policies
User Reporting
HR
Security Council Incident Response
Legal SIRT Responsibilities
Biz Units Sr.Management
TS
IT
HR IT Steering
Committee
Legal
Biz Units
Create Policies
• User incident reporting
– Users must immediately report any actual or
suspected security incidents
– Users will be required to assist with security
incident resolution if necessary.
• Incident response
– Reported incidents must be acted upon
immediately and appropriately. Establishes
SIRT Program.
• SIRT Responsibilities
– Establishes membership, the responsibilities
of each member, and the team as a whole.
Assign SIRT Leadership
•SIRT Manager
•Usually Security Officer, or Privacy
Officer
•SIRT Deputy
•Usually Senior Security Department
Member
SSD
XM SSD
XD
Assemble the Team
•Appropriate Skills
•Appropriate Organizational Groups
•Understanding of Individual Roles
IT Legal HR Comp
BCP Physical
PA
X X X X X X Mgmt
X
SSD X
BIZ
XM SSD
X XD
SIRT Charter
• Mission – Protect CIA
• Philosophy
– Immediately stop the incident?
– Allow to continue for evidence collection?
• Goals
– Immediately stop any active incident
– Minimize the impact of security incidents to the company, through
containment of the incident
– Respond to reported security threats
– Collect and process data so that it can be used to prosecute, if
necessary
– Enable reporting to proper external partners, such as the FBI, and
other agencies that track incidents, such as the CERT
– Refine the security incident response process through evaluation
of previous responses
Create Reporting Procedures
Post user friendly
processes in
Phone accessible areas.
Reporting Mechanisms
Intranet
When?
Email
Handling the Incident
Incident Response Life Cycle
Preparation
Hard Lessons Learned…
•Document Everything!
•Present users with multiple
Preparation
reporting mechanisms.
•Collect system/user logs
immediately!
•Keep SIRT Member lists and
contact information updated.
•Centralized SIRT Control
•Be aware of organizational
relationships (other SIR Teams)
•Learn from previous incidents
•Update procedures regularly
Benefits of the IR Process
• Continued User Awareness
• Existing Policies Updated
• New Policies Created
• Measurement of Awareness
• Measurement of Compliance
• SIR Processes Updated
• Heightened SIRT Preparedness
Benefits of the IR Process
Policy Development
Recommending
Accept
Body
Publish Policy
Read
Approving
Body
SIRT Analysis
Report
Incident Report
Questions and Discussion
