Cyber Security Awareness Month - Day 18 - What you should tell your boss when there's a crisis
Last Updated: 2010-10-18 21:37:33 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
The topic for day 18 of the Cyber Security Awareness Month is a subject that happens frequently in many organizations...information security incidents. Many companies have formal information security incident response teams, which help the organization to diminish the impact of incidents on the organization. One fundamental element of any information security response plan has to be the information given to your boss during the crisis. Let's take a look at the incident response lifecycle diagram:
Source: Special Publication 800-61 Computer Security Incident Handling Guide page 3-1
Preparation: When the team is preparing for an incident, you must determine what incidents are most likely to occur inside the organization. Risk analysis is crucial to determining those incidents that are likely to happen to the information assets of the company. With your boss you should identify those risks that the company is willing to take and those that will not take. Management should have a clear perspective that each risk he decides to accept for the company may represent a future incident for which the company must be prepared. Here is where you should prepare the elements required to respond to potential incidents it they occur, as well as technical and procedural elements, organizational skills and above all the procedures that regulate the operation of the incident response team.
Detection and Analysis: There are several ways in which the incident response team can detect a security incident, such as alerts from monitoring systems, reports from employees or even reports from your own boss. In any of the above cases there will be tremendous pressure from the complainants to know what had happened and to take action against those responsible for the events. When you decide to give the official report to your boss, do so only if it is truthful and accurate information about what happened ,not speculation and assumptions, as much of this information may be used in legal proceedings or meetings with senior management, where any comments you make will be taken as absolute truth.
Containment, eradication and recovery: Once it is determined that the events constitute an information security incident, make an objective assessment of the situation, define a strategy of containment, eradication and recovery that is compatible with corporate strategies and present to your boss a work plan that takes a pessimistic view of the task duration, enabling you to respond to contingencies that may arise. When we talk about the compatibility of this plan with corporate strategy it is important to consider the following variables according to the company's objectives: potential damage of resources, need for evidence preservation, service availability, time and resources needed to implement the strategy, effectiveness of the strategy and the duration of the solution. Before you begin execution of the plan, make sure your boss agrees with it and keep him informed of critical issues you might have. He will be your main support during the execution of this plan and you want to keep him focused on the parts where you need support.
Post-incident activity: Once the containment, eradication and recovery of the incident have, meet with your boss and other stakeholders and discuss the lessons learned and devise recommendations to prevent occurrence of similar events and respond more effectively to such events in the future. The idea is to maintain the commitment from your boss to the information security process and all incidents that might occur in the future.
Do you have more recommendations? Feel free to page us here. I will be updating the diary with all your input.
-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago