Security Policies and

Implementation Issues

Lesson 12
Incident Response Team (IRT) Policies

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Learning Objective

Describe the different information security

systems (ISS) policies associated with
incident response teams (IRTs).

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 2
All rights reserved.
 Key Concepts
 Incident response policies
 Team members associated with incident response
 Emergency services related to IRTs
 Policies specific to incident response support services
 Policies associated with handling the media and what to
disclose
 Business impact analysis (BIA) policies
 Business continuity plan (BCP) policies
 Disaster recovery plan (DRP) policies

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 3
All rights reserved.
 Incident Response Team (IRT)
 Cross-functional team
 Organized and coordinated
 Various skills
 Usually only responds to major incidents
− Minor incidents considered part of normal
operations

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 4
All rights reserved.
 Definition of an Incident
 Any event that violates security policy
− Unauthorized access to data
− Unauthorized modification of data
− Disruption of service

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 5
All rights reserved.
 Classifying Breach by Attack Vector

Attack SQL injection

Vectors
Improperly segmented network environment

Malicious code or malware

Insecure remote access

Insecure wireless

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 6
All rights reserved.
 Classifying an Incident
 Develop a classification system
− Varies by industry type
− Should meet legal and regulatory obligations
 Common approach is to use categories that assess threat
level
− Malicious code
− Denial of Service
− Unauthorized access
− Inappropriate usage
 Major vs. minor
− Major incidents are significant
− Determination based on risk to organization

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 7
All rights reserved.
 Forming an Incident Response Team
 Develop a charter Charter Sections
• Summary
− Determine IRT Model • Mission Statement
• Goals
− Set goals (e.g., response time) • Team responsibilities
• Incident Declaration

 Identify Team Members • Definitions

• Declaration process
• Organizational Structure
• Team alignment
• Member management
• Roles & Responsibilities
• For team members
• Information Flow
• Communications
• Methods
• How goals are achieved
• Authority & Reporting
• Level of authority
• Source of authority

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 8
All rights reserved.
 IRT Models

On-Site Supporting Coordinatio

Response Role n
Full Technical
Coordinates
authority to assistance
several local
contain to local
teams
breach team

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 9
All rights reserved.
 Roles and Responsibilities

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 10
All rights reserved.
 Incident Response Support
Services
 This is a broad category to mean any team
that supports the organization’s IT and
business processes
• Example: The help desk is a support services
team
 During an incident, the help desk may be in
direct contact with the customer who is
impacted by the attack

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 11
All rights reserved.
 Incident Response Support
Services (Continued)
 The help desk, at that point, becomes a
channel of information on the incident
 It’s vital that the helpdesk during an incident
is providing a script of key talking points
about the incident

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 12
All rights reserved.
 The Incident Response Process

Discover and
Plan and
Report Contain
Train
Incident

Analyze and
Clean Up Report
Prevent

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 13
All rights reserved.
 BIA Policies
Identifies assets required for business to recover
and continue doing business

BIA may be based on multiple worst-case

scenarios

BIA should contain security breach scenarios

Key assets include critical resources, systems,

facilities, personnel, and records

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 14
All rights reserved.
 BIA Policies (Continued)

Identifies recovery times

Used for information security and non–

information security purposes

Identifies adverse effects on the organization

Identifies key components

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 15
All rights reserved.
 Key Objectives of the Business
Impact Analysis (BIA) Policy

Identify resources required to recover each

component

Identify human assets needed to recover

these components

Identify dependencies, such as other BIA

components

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 16
All rights reserved.
 Business Continuity Planning
Policies
Creates a road map for continuing business
operations after a major outage or disruption of
services

Establishes the requirement to create and

maintain the plan

Provides guidance for building a plan

Includes key assumptions, accountability, and

frequency of testing

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 17
All rights reserved.
 Business Continuity Planning
Policies (Continued)
Must clearly define responsibilities for creating
and maintaining a BCP plan

Identifies responsibilities for its execution

Covers the business’s support structure

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 18
All rights reserved.
 BIA, BCP, and DRP

• Drives the
BCP • Policies needed
requirements to recover IT
• Drives assets after a
for the BCP
requirements major outage
for the DRP

BIA DRP

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 19
All rights reserved.
 Best Practices in Incident
Response
 Effectiveness of the IRT and its related
policies needs to be measured
 Measurement should be published annually
with a comparison to prior years

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 20
All rights reserved.
 Best Practices in Incident
Response (Continued)
 Measurements should include the goals in
the IRT charter, plus additional analytics to
indicate the reduction of risk to the
organization, such as:
• Number of incidents
• Number of repeat incidents
• Time to contain per incident
• Financial impact to the organization

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 21
All rights reserved.
 Summary
 Incident classifications
 Roles and responsibilities associated with
incident response team policies
 Incident support services
 Best practices to create an incident
response team policies
 BIA, BCP, and DRP policies

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 22
All rights reserved.