csirp accountability, information sharing, and ... accountability, information sharing, ... using...
TRANSCRIPT
![Page 1: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/1.jpg)
CSIRP Accountability, Information Sharing, and
Communications Planning
![Page 2: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/2.jpg)
End-to-End Process/Activity Accountability
All Processes and Activities − Have inputs and create outputs − Have suppliers responsible for the inputs − Have customer/consumers that receive the outputs
Inputs and Outputs − Have specifications: cost, timeliness, accuracy, etc
Customers/Consumers − Can be people, departments, other processes, decisions, and
external organizations
If the output of a process/activity doesn’t have a home why does the process/activity exist?
![Page 3: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/3.jpg)
Two Process Management Concepts Combined: SIPOC and RACI SIPOC – Supplier, Input, Process, Output, Customer
− Identifies and Quantifies the inputs to and outputs from the process along with who is responsible for delivery and who receives the deliverables
RACI – Responsible, Accountable, Consult, Inform − Identifies the roles and responsibilities of those within the process
![Page 4: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/4.jpg)
Total Accountability Model Metrics
Metric Defined for any Components and Rollup to Total Performance
Examples of CSIRP Measures o Dwell time includes:
Detection Review Analyze Identify Notify
o Containment includes: Collect Validate React
Measures from Mandiant White Paper: Using Metrics to Mature Incident Response Capabilities
![Page 5: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/5.jpg)
Activity/ Process – Obtain, Implement, and Maintain the Cyber Security Insurance Policy
Accountable: Finance/Risk Management Officer
![Page 6: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/6.jpg)
Activity/ Process – Communicate the Cyber Security Insurance Policy Finance/Risk Officer
− Cyber Liability Policy Requirements/Checklist − Insurance Broker Notification Requirements − Coverage Allocation
− What’s covered − Who provides services
− Fines and penalties − Internal response resource costs
− Personnel − Resources
− External response resource costs
![Page 7: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/7.jpg)
Finance/Risk Management
Cyber Insurance Plan − Cyber Liability Policy Requirements/Checklist − Insurance Broker Notification Requirements − Coverage Allocation
− What’s covered − Who provides services
− Fines and penalties − Internal response resource costs
− Personnel − Resources
− External response resource costs
![Page 8: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/8.jpg)
Technical
Information Technology/IT Security − Identify and analyze − Contain, eradicate, and recovery − Lessons learned (lessons learned applies to all facets to
improve both prevention and reaction)
Root cause analysis
![Page 9: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/9.jpg)
Business Contingency Planning
All Departments - Management − Operations, Finance, Sales, etc
Operational Continuity With Degraded Resources Internal and external capabilities
![Page 10: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/10.jpg)
Legal Department
Competent Cyber Incident Response Knowledge Coordinate and Execute Cyber Insurance Policy Notification Requirements
− Regulatory − Industry
Business Implications − Contractual Obligations − Service Levels
Law Enforcement Crime Resolution
![Page 11: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/11.jpg)
Corporate Communications
Internal − Stakeholders − Operational service impacts − Management − Employees
External − Victims
− Consumers − Business Partners − Vendors
− Community/Market − Media
![Page 12: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/12.jpg)
Human Resources
Employee Victim Services − Internal − Employees − Management
![Page 13: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/13.jpg)
??? Customer Service
Victim Services − Internal − Employees − Management
External − Clients − Business Partners
![Page 14: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/14.jpg)
CSIRP Process Resource Center for the NIST SP 800-61 R2 Incident Response Lifecycle Widely Referenced Incident Response Lifecycle Extensive Availability of Supportive Authoritative
Referenceable Sources
![Page 15: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/15.jpg)
NIST SP 800-61 R2 Community CSIRP Process Resource Center Home Page
![Page 16: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/16.jpg)
Mobilized Web-Based Computer Security Incident Response Plan
Visually Intuitive Navigation Centralized Access to
Supporting Resources −NIST SP 800-53, 83, 83r2, 84, 184, 86,
SANS, CERT, US & ICS-CERT, ISAC, MITRE, Specific Vendor Best Practices and more −Each phase contains relevant intuitive
workflows, supporting reference material where they apply within the process, and end-to-end accountability −Reference center provides additional
resources like threat playbooks and links to sites that provide malware remediation assistance
![Page 17: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/17.jpg)
Home Page of CSIRP Process Resource Center – Expanded Intent & Key Definitions
![Page 18: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/18.jpg)
CSIRP Home Page Linked Document CSIRP Web Framework Overview
![Page 19: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/19.jpg)
CSIRP 1.0 Preparation
Preparation is about: − Establishing and training the incident
response team − Proactively planning specific
responses for the likely attacks the organization may face
− Acquiring the necessary incident response tools and resources
− Preparing the team to effectively react within minutes of unfamiliar attacks
− Testing plans and preparedness − Continuously improving the incident
response posture with lessons learned, industry updates, and reconnaissance
![Page 20: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/20.jpg)
1.1 Create Computer Security Incident Response Team Charter (CSIRT)
CSIRT Charter − Establishes written
management commitment to the CSIRP
− Defines goals, scope, levels of authority, roles, and responsibilities
![Page 21: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/21.jpg)
Step 1.4: Create Response Plans for Incident Types Defined in Step 1.2, the Compliance & Threat Requirements Library
![Page 22: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/22.jpg)
CSIRP 2.0 Monitor, Detection, & Analysis
Monitor, Detection, & Analysis: − The Monitor function was added
to Detection and Analysis − Monitor, Detection, & Analysis is
about recognizing, receiving, analyzing and classifying all cybersecurity events and determining which are actual incidents vs. security or maintenance events
− Prioritizing the handling of incidents
− Event escalation path alternatives
![Page 23: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/23.jpg)
2.1 Monitor and Detection
![Page 24: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/24.jpg)
Workflow Screens Have Multiple Components
Total Accountability Bar − Combines two process management concepts; SIPOC and RACI − It identifies and assigns ownership to all aspects of the process. − It is also where tangibles of the process are defined, largely in
measurable terms. It helps define what success looks like.
Illustrates the Workflow as Designed for that Particular Portion of the Process
Contains additional links to documents that are SOPs and Work Instructions − Can link to specific locations within automated application
workflows
![Page 25: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/25.jpg)
End-to-End Accountability & Performance Metrics – Total Accountability Model
![Page 26: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/26.jpg)
Total Accountability Model – Combines SIPOC with RACI & Identifies Tangible Metrics
![Page 27: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/27.jpg)
Total Accountability Integrated in All Workflows
![Page 28: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/28.jpg)
Fingertip Access to SOPs and Work Instructions When Required in the Process
![Page 29: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/29.jpg)
2.1 Monitor and Detection
![Page 30: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/30.jpg)
2.2 Analysis
![Page 31: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/31.jpg)
Fingertip Access to SOPs and Best Practices When Logically Required in the Plan
![Page 32: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/32.jpg)
CSIRP 3.0 Containment, Eradication, & Recovery Containment, Eradication, &
Recovery is about: − Isolating the attacked system(s) − Quickly and effectively determining
the appropriate containment method
− Stopping the damage to the infected host(s)
− Tracking down other system infections and remedying them
− Ensuring the attack is fully remedied − Bringing functionality back to
normal − Monitoring to ensure there are no
lingering components of the attack
![Page 33: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/33.jpg)
3.1 Containment, Eradication, & Recovery
![Page 34: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/34.jpg)
CSIRP 4.0 Post-Incident Activity
Post-Incident Activity is about − Conducting robust assessments
of lessons learned − Ensuring the appropriate actions
are taken to prevent recurrence of the vulnerability exploit
− Conducting forensics to aid understanding and remedy the vulnerability, the exploit, and to support possible legal actions
![Page 35: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/35.jpg)
4.0 Post-Incident Activities
![Page 36: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/36.jpg)
4.0 Post-Incident Activities
![Page 37: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/37.jpg)
CSIRP Information Center
![Page 38: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/38.jpg)
Library Contains Integrated Full Document for Regulatory and Audit Requirements
![Page 39: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/39.jpg)
CSIRP Management Contacts
![Page 40: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/40.jpg)
Designed to Adapt to Desktops, Laptops, Tablet, and Mobile Phones
![Page 41: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/41.jpg)
Can be Configured to Any Compliance Standards
![Page 42: CSIRP Accountability, Information Sharing, and ... Accountability, Information Sharing, ... Using Metrics to Mature Incident Response Capabilities . ... −Combines two process management](https://reader031.vdocument.in/reader031/viewer/2022030207/5abf0e567f8b9a5d718dcb20/html5/thumbnails/42.jpg)
Services and Contact Information
Contact: Henry Draughon Process Delivery Systems (972) 980-9041 [email protected] www.processdeliverysystems.com
Process Center Development • Domain Content Research and
Development Policies, Guidelines, and Standards Domain Best Practices from Referenceable,
Authoritative Sources • Definitions and Visualization of Total
Accountability; SIPOC/RACI • Key Performance Measure Development • End-to-End Process Maps Segmented by
Logical Groups, Links to External Resources
• Applications, Forms, and Document Libraries, Resource Directories, Glossaries
• Process Governance and Policy Development
Manage the Forest and the Trees
Bridging the Gap Between Operations and Strategy
Watch the video: https://www.youtube.com/watch?v=nEW2LrC3-VE