Five Key Information Security Incident Response Playbooks
Information security incident response activities can be stressful and challenging for organizations and their personnel to successfully navigate if they do not have prescriptive, comprehensive and tested plans or “playbooks” available. Effective incident response playbooks provide guidelines, methods and practices, procedures, checklists, and supporting materials to ensure an organization can limit the material impacts of an incident while effectively responding to it. These playbooks should be used and enhanced at least annually, and their details and requirements should be communicated in advance to leaders and stakeholders who may be affected by the playbook. There are many possible information security-related incidents that an organization may face, but the following 5 have proven to be highly probable based on frequency in recent times. Because of this frequency, it is essential for enterprises to have playbooks established for:
- Information data breach—Data breaches have become one of the key concerns of many organizational leaders and practitioners alike. These breaches often will require a forensic approach to incident response vs. an operational one, since they have the potential to lead to public disclosure and potential litigation against the affected organization. It is important to include detailed procedures for forensic investigation, e.g., data isolation and retention, evidence collection, system and data preservation, and handling (including chain of custody), in playbooks for this scenario. Forensic responses often differ greatly from approaches that operational staff may typically follow for operational incident response activities, in which containment and remediation are typically the initial primary goals. Information data breaches also often require the integration and coordination of resources from legal and compliance, communications/public relations, outside counsel, an outside investigation team, and business process owners.
- Virus/malicious code outbreak—A virus and malicious code outbreak can quickly spread to the technical infrastructure of an entire organization if not contained effectively. In virus or malicious code outbreak playbooks, it is important to first define methods and practices for identification and understanding the intentions and material business impacts of a virus or code and then compare this to the information risk profile of the organization. This will assist in defining the level of effort and acceptable business disruption that is appropriate for response and remediation efforts.
- Insider attack—Playbooks for insider attacks have to be carefully developed and have limited distribution due to the purpose for which they are intended. No organization ever wants to believe that a trusted insider would turn against the organization and create an information security incident. This emotional sensitivity has to be considered in the playbook’s methods, practices and procedures. Insider attack playbooks should include procedures for engaging outside assistance for incident response and investigation activities and interactions with legal, compliance and human resource representatives. It is not recommended that personnel who are coworkers or have personal relationships with the malicious insider(s) lead or are meaningfully involved in these incident response activities due to their inherent conflicts of interest. Methods and practices in these playbooks should include capabilities for identifying, documenting and monitoring the current and previous activities of insider attackers, limiting their ability to access sensitive information assets and information infrastructure while under review, and procedures for backfilling key personnel in the case that they are no longer available to complete their work tasks while under review.
- Physical incident or data loss—Many organizations have turned their focus for information security-related incidents to technology, while they still face physical system and data loss (e.g., lost devices or lost paper files, office break-ins). Playbooks for physical loss should be fairly similar to procedures for technical responses, but also include elements such as the ability to uniquely identify physical data assets and their contents, identify material business impacts of lost data, establish contacts and procedures to interact with law enforcement and physical security personnel, and preserve and process physical evidence.
- Network-based denial of service—Network-based denial of service (DoS) attacks are intended to impact the availability of systems and services that organizations often rely on to conduct business. When developing DoS incident response playbooks, it is important to include contacts and maintain relationships with incident response personnel at the Internet service and telecommunications providers. It is often the case that these individuals and their organizations will be keys in the identification and remediation of DoS attacks since they can address the attacks at the sources more easily than the targeted organization. It is often useful to align response strategies and procedures with the organization’s system availability requirements and expectations. A tiered approach to incident response activities that differentiates between minimally acceptable and ideal system availability will help the enterprise apply appropriate response tactics and resources.
Information security-related incidents are no longer a possibility but more likely a probability for many organizations. The most effective incident response activities are choreographed and tested in advance to ensure that all appropriate measures are taken and nothing is missed in what is often a very stressful activity. It would not be realistic for an organization to develop incident response playbooks for every scenario. However, for those scenarios that are well understood and have a high level of probability, playbooks can make a measurable and material difference in the time, effort and impact involved in remediating security incidents.
John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.
CSX Practitioner Certification Now Available
Exam registration is now open for ISACA’s Cybersecurity Nexus (CSX) Practitioner (CSXP) certification, the first-ever vendor-neutral, performance-based certification for cybersecurity professionals.
To earn the CSXP certification, candidates must pass an exam in an adaptive, performance-based cyberlaboratory environment. The exam measures skills and abilities in a virtual setting using real-world cybersecurity scenarios.
ISACA is offering a special introductory rate of US $375 for those who take the exam before 1 October and complete a post-exam survey.
“Earning the CSXP demonstrates practically tested abilities in prevention, detection and response to a cybersecurity incident,” says Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, ISO 20000 LA, international president of ISACA and group director of information security at Intralot. “This credential is a clear indicator to employers that an individual has the skills to help protect and defend their organization.”
CSXP, the latest offering from CSX, was developed by a working group of cybersecurity experts and went through a rigorous review by more than 100 professionals from around the world. The innovative course delivery and testing components are the result of collaboration with the Art of Exploitation® (AoE™) cybersecurity team of TeleCommunication Systems, Inc. (TCS), a leader in cybersecurity training and enterprise solutions.
Training for the exam is available through self-paced labs or global training partners that will offer the following courses, combining lectures and cyberlab experience:
- Identification and Protection
- Respond and Recover
For more information, visit the CSX Practitioner Certification page of the ISACA web site.
Learn to Secure Data on Your Enterprise’s Mobile Applications
With the growing need for businesses to have mobile capabilities, enterprises must be able to identify users while protecting identities and data from malicious actors. To help organizations better secure mobile platforms, ISACA has partnered with CA Technologies to present the “Mobile Risk Analysis: Take Your Mobile App Security to the Next Level” webinar. This webinar will take place on 10 September at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.
Carol Alexander, head of authentication solutions at CA Technologies, and Charley Chell, security advisor at CA Technologies, will lead this webinar. They will discuss how to identify the legitimacy and identity of a mobile device user. Attendees will learn about the key factors and considerations when using contextual authentication in mobile applications and how these can protect against inappropriate access and data breaches.
To learn more about this webinar or to register for it, visit the Mobile Risk Analysis: Take Your Mobile App Security to the Next Level page of the ISACA web site.
Recruit Members, Earn Rewards
Join the Member Get a Member Program! The program began 1 August, and you can earn rewards for recruiting professional members to ISACA.
When ISACA grows, members benefit. More recruits mean more networking, more connections, more resources and more chances to win valuable prizes. For each new member who credits you as their recruiter, you get closer to winning 1 of our prizes.
Who can you recruit?
- A coworker who could benefit from COBIT
- Colleagues interested in professional growth
- Members of other professional associations
- Someone who might be interested in taking a Certified Information Systems Auditor (CISA), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT (CGEIT) or Certified in Risk and Information Systems Control (CRISC)exam
- New college graduates eager for career advancement
To earn recruitment credit through the Member Get a Member program, your colleagues must provide your ISACA member ID number when joining. As an added bonus, your colleague's new member fee (US $30 or US $10 online) will be waived when your member ID is entered during the application process.
Start recruiting new members today—the more members you recruit, the more chances you have to win a prize. For more information, visit the Member Get a Member page of the ISACA web site. Questions? Contact email@example.com or +1.847.660.5600.
Understanding the Human Aspect of Security With a CISM Certification
Gopal Padinjaruveetil finds philosophy fascinating. In his free time, he reads about Western philosophies such as utilitarianism, individualism, objectivism, social contract theories and Eastern philosophies such as Vedanta. It is this curiosity about philosophy and human nature that led Padinjaruveetil to pursue a career in cybersecurity. “My background in and passion for organization behavior and human behavior helped me understand the human elements of cybersecurity,” he says. “With that understanding, I am able to apply the Certified Information Security Manager (CISM) certification in a much more pragmatic way.”
Having the CISM certification and being a member of ISACA has helped Padinjaruveetil connect with like-minded professionals and is the best part of being a CISM, he says. “I am very passionate on the topic of information security, and knowing that I am part of an organization that is growing and has the greatest credibility in the industry is really a fulfilling feeling that I have made the right choice,” Padinjaruveetil adds.
One of the biggest challenges of his job is encouraging enterprises to understand cause and effect and look at the bigger picture. “Security vulnerabilities are symptom; making people understand that we need to find the root cause is a big obstacle. Overcoming the security challenges of today requires a different perspective,” Padinjaruveetil says. “The biggest obstacle is making people understand the relationship between cause and effect. In this case, the security vulnerability is an effect and the cause is somewhere else. Once they make the connection, it becomes self-managed and self-sustaining.”
Looking at the bigger picture is also a useful strategy for preparing for ISACA certification exams, Padinjaruveetil says. “As an item writer for the Certified in the Governance of Enterprise IT (CGEIT) certification exam, I realized how much thought is given to each certification question. My advice to those pursuing ISACA certifications is not to look at these as just an exam, but take time to really understand and get insights into the tasks and knowledge statements of each of the domain areas. This will not only help you with the exam, but will go a long way in giving you insights for applying these in your profession.”
To learn more about ISACA certifications, visit the Certification page of the ISACA web site.
Book Review: Auditing Social Media: A Governance and Risk Guide
In today’s highly competitive business world, social media is not a choice; it is a must. The authors of Auditing Social Media: A Governance and Risk Guide blend their extensive expertise in business strategies, social media, marketing, communications and internal auditing. Their experience is apparent in the book’s 7 chapters and 5 appendices, targeted at helping businesses navigate the maze of risk and governance surrounding social media.
Using unique, friendly, interesting and simple language, the book’s first few chapters provide an overview of social media, explaining its value-delivering strategy and how it could go wrong while being effectively and efficiently monitored and measured through listening and learning best practices. The authors, leading experts on social media compliance, explore the risk and compliance issues every business must consider when using social media, explaining why it works, the legal issues involved, how to develop a social media policy and strategy, and how to track it through strong metrics. The book discusses the elements of an effective social media policy for both internal stakeholders and external stakeholders, exposing social media risk by stressing that the greatest risk related to social media is what organizations do not know. Some see the governance role as being the responsibility of the boards of governors and related oversight committees, but the authors of this book look at governance in a broader perspective, viewing governance as who is watching the store.
Packed with useful web links and popular social media usage and monitoring tools, Auditing Social Media concludes in the form of a complete, comprehensive social media audit program. The book is intended for chief executive officers (CEOs) looking out for their enterprises’ business involvement with social media, but the book is appropriate for all senior security professionals, IT auditors, consultants and students. As the book’s core material tends to be more descriptive and illustrative rather than technical, it does not require the reader to possess an advanced level of IT knowledge or expertise. The book does not provide specific case studies on the subject of social media auditing, but it does contain several explanatory examples throughout the book.
Auditing Social Media: A Governance and Risk Guide is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email firstname.lastname@example.org.
Mahmoud D. Ghuneim, CISA, served as a professional communications engineer with governments in the Arabian Gulf and Jordan for more than 30 years including practices with computer and fixed communications networking security. He was the science editor with several Arab daily papers and magazines and a consultant for major computer bookstores in Jordan for more than 20 years. Ghuneim served twice as a member of the ISACA Publications Subcommittee.