Whip Your Incident Response
Program into Shape1
Agenda
• Introductions
• Understand requirements behind an incident response program (IRP).
• Identify the different components of an effective IRP.
• Learn how to prepare for your testing exercise.
• Learn how to develop meaningful testing scenarios.
• Understand how to conduct and document the testing.
• Questions
2
INTRODUCTIONS
3
Today’s SpeakersNadia Fahim-Koster, Director, Meditology Services
• 14+ years experience in healthcare IT security and privacy
leadership
• Previously CISO and Chief Privacy Officer for several
large health systems
• Certified CISSP, HCISPP, and HITRUST CCSFP
• Advises healthcare clients coast to coast on privacy and
security
Kim RoSser, R.N., Senior Associate, Meditology Services
• Certified HITRUST CSF Practitioner
• Extensive Risk Assessment experience working with
HITRUST, HIPAA, FISMA, and NIST
• Registered Nurse with 20+ years of clinical experience
4Meditology is dedicated to delivering expertise and leadership in information privacy and security, compliance, and audit, specifically for healthcare
REGULATORY REQUIREMENTS
5
Requirements
• The Health Insurance Portability and Accountability Act
(HIPAA) Security Rule requires covered entities to
“identify and respond to suspected or known security
incidents, as well as mitigate to the extent practicable,
harmful effects of security incidents that are known to the
covered entity, and document security incidents and their
outcomes.”
6
Source: Department of Health & Human Services: HIPAA Security Series: Requirement 164.308(a)(6)(i) – Response and Reporting.
COMPONENTS OF AN EFFECTIVE
INCIDENT RESPONSE PROGRAM
(IRP) 7
Policy
The National Institute of Standards and Technology (NIST)
recommends that the following elements be included in the
IRP policy:
• Statement of management commitment
• Purpose and objectives of the policy
• Scope of the policy
• Definition of security incidents and related terms
• Roles, responsibilities, and levels of authority
• Severity ratings of incidents
• Performance indicators
• Reporting and contact forms8
NIST Special Publication 800-61, Revision 2 – Computer Security Incident Handling Guide
Plan
The plan should be tailored to the size, structure, and mission of your organization. NIST recommends that the following elements be part of your IRP plan:
• Senior management sponsorship and approval
• Goals and objectives for incident response
• Organizational structure of the various team members, their resource requirements, and their roles
• Communication process for internal and external entities
• Outline of the incident response methods for each classified incident from the policy
• Metrics for evaluating the effectiveness of the team and process
• Processes for annual review and evaluation 9
Organizational Structure
10
Command• Define the Incident goals and operational period
objectives
• Includes an Incident Commander, Safety Officer, Public Information Officer, Senior Liaison, and Senior Advisors
Planning
• Coordinates support activities for incident planning, contingency, long-range and demobilization planning
• Supports Command and Operations in processing incident information
• Coordinates information activities across the response system
Logistics
• Supports Command and Operations in their use of personnel, supplies, and equipment
• Perform technical activities required to maintain the function of operational facilities and processes
Admin/Finance
• Supports Command and Operations with administrative issues as well as tracking and processing incident expenses
• Include such issues as licensure requirements, regulatory compliance, and financial accounting
Operations
• Establishes strategy (approach methodology, etc.) and specific tactics (actions) to accomplish the goals and objectives set by command
• Coordinates and executes strategy and tactics to achieve response objectives
Statement of Management
CommitmentManagement commitment and responsibilities include:
o Program management
o Program review and updates
o Development of a review panel or task force if hazards
are identified, or for deployment after an event to
assist in its review
o Assisting with training
o Enforcing disciplinary actions as needed
o Interaction and assistance with regulatory and
response agencies
11
Purpose and Objectives
Purpose and objectives of the policy
• To ensure that information security events, and
weaknesses associated with information systems, are
handled in a timely manner and allow corrective action to
be taken.
• Governs the actions required for reporting and
responding to security incidents involving client
information assets.
• Ensures effective and consistent handling of such events
to limit any potential impact to the confidentiality,
availability and integrity of client information assets.
12
Scope
Scope of the policy:
• Applies to all workforce members, users, and all
personnel affiliated with third parties who access or use
client information assets, regardless of physical location.
• Also applies to:
o Information technology administered in individual
departments
o Technology administered centrally
o Personally-owned computing devices connected by
wire or wireless to the client network
o Off-site computing devices that connect remotely to
client network 13
Definition of Security Incidents
• Security Incident: a violation, or imminent threat of a violation, of IT or Information Security policies, procedures, acceptable use policies, or standard security practices.
• Security Incident Response Team (SIRT): a group of individuals set up for the purpose of assisting in responding to security-related incidents.
• Unauthorized Access/theft: unauthorized access encompasses a range of incidents from improperly logging into a user's account (e.g., when a hacker logs in to a legitimate user's account) or unauthorized usage of logon credentials to obtaining unauthorized access to files and directories possibly by obtaining "super-user" privileges.
• Virus: self-replicating, malicious program segment that attaches itself to an application program or other executable system component and leaves no external signs of its presence. 14
Roles and Responsibilities
Roles, responsibilities, and levels of authority
15
Role Function
Primary Incident
Handler
The assigned “owner” to a security incident after the initial notification
Ensures coordination, documentation, and communication with the SIRT and any other departments or
organizations directly involved in the security incident
Responsible for the quality of the incident handling procedures for the assigned event
Incident
Coordinator
Designates incident roles and responsibilities per incident
Manages team members assigned to specific tasks during an incident
The communication point between SIRT groups, members and the Primary Incident Handler
Makes sure that the team is focused on their goal and reports any findings up the chain of command
Prepares a written summary of the incident and corrective action taken
Documents all details of an incident and facilitates communication
Onsite Incident
Handler
Lead handler during offsite incidents and will be responsible for gathering evidence and making sure
proper procedures are followed as defined by the Primary Incident Handler.
Incident Sponsor
(Executive
Leadership)
The SIRT should have a member of the management team as its sponsor.
Users/ Employees Report suspected or known security incidents through the IT Service Desk
Cooperates with investigative personnel during investigation if needed
Severity Ratings
Severity ratings of incidents
16
Severity
LevelDescription Examples
Critical/
High
Incidents that are extensive, widespread and
where the impact is severe.
Malicious code
Unauthorized access
DOS affecting critical services
Data breach
Outages
Attack against infrastructure
Medium
Incidents where the impact is significant.
Attempts to gain unauthorized access
Open mail relay
Low Incidents where the impact is minimal (minor,
localized incidents).
Unauthorized network probes or
system scans
Isolated virus infections
Performance Indicators
List of possible metrics is provided below:
• Total number of incidents (as a control measure)
• Breakdown of incidents by stage (logged, work in progress,
closed, etc.)
• Size of current incident backlog
• Number and percentage of major incidents (as well as other
impact, urgency and priority)
• Mean elapsed time to achieve incident resolution or
circumvention, broken down by impact code
Though a lengthy list, it is not exhaustive..
17
Reporting and Contact Forms
Reporting and contact forms
18
Sample contact form
Incident Report covers the following key areas:• Incident Identification
Information• Incident Summary• Incident Notification• Incident Workflow• Action Summary• Post-Incident Analysis• Artifacts
Procedures
The most common procedures include the following elements:
• Communication—both internal and external to your
organization
• Escalation notification
• Incident tracking forms
• Incident reporting and documentation
• Investigation checklists by technology platform
• Remediation checklists by risk and threat classification
• Security information event management (SIEM)
• Evidence collection and handling “chain of custody”
• Forensics investigation and documentation
• Data retention and destruction
• Non-disclosure agreements19
PREPARE FOR YOUR TESTING EXERCISE
20
Testing Preparation
A good IRP test requires adequate preparation:
• Review every component of your IRP including your IRP
Policy
• Assess your procedure documentation for potential
improvements and/or changes
• Identify the different teams listed within the IRP to know
who the participants of the exercise will be
• Determine whether you will involve every member of
every team, or just a representative
21
Testing Preparation
• Every role should have 2 tiers (primary and secondary)
• Roles to include:
o Internal communications
o External communications
o Human Resources
o Legal
o Executive Leadership
o Marketing
22
DEVELOP MEANINGFUL TESTING SCENARIOS
23
Meaningful Scenarios
Create the scenarios that will be used during the exercise:
• Align the scenarios with the incident criticality levels as
identified in the IRP plan
• Create scenarios that align with real-life incidents in the
industry
• Scenarios should test for the effectiveness of
your organization’s HIPAA Breach
Notification plan
24
Low Incident
Jessica in HR has been busy interviewing candidates for
positions within Client. She mistakenly emailed one of the
candidates a document containing employee demographic
information.
25
She immediately notifies her manager.
What next steps should be taken?
Medium Incident
Several employees have reported the following email:
From: Smith, John [[email protected]]
Sent: Friday, July 15, 2014 3:15PM
Subject: System Administrator
UPDATE YOUR MAIL BOX QUOTA
Your mailbox has almost exceeded its storage limit.
It will not be able to send or receive emails if exceeded it limit and your email account will be deleted from our servers. To avoid this problem you need to update your mailbox quota. By clicking on the link below and filling your login information for the update.
http://owa-team1.webs.com/
If we do not receive a reply from you, your mailbox will be suspended.
Thank you for your cooperation 26
Critical Incident: Hacktivist Threat
& Attack• Receptionist receives a threatening phone call from Pro
Life Radicals objecting to <CLIENT>’s support of birth control and contraceptives.
• Pro Life Radicals state, “ YOU HAVE 7 DAYS TO PUBLICLY MAKE A STATEMENT PLEDGING <CLIENT> WILL NO LONGER PROVIDE ANY CARE THAT DOES NOT ALIGN WITH PRO LIFE IDEALS. <CLIENT> IS NOT TO PROVIDE BIRTH CONTROL, CONTRACEPTIVES, NOR ANY PREGNANCY ENDING PROCEDURES. FAILURE TO COMPLY WILL RESULT IN THE MARRING OF THE <CLIENT> BRAND AND REPUTION, ALONG WITH THE LOSS OF THE CONFIDENTIALITY PROMISED TO YOUR PATIENTS. THIS MESSAGE WILL BE DELIVERED DAILY UNTIL COUNTDOWN EXPIRES.”
27
CONDUCT AND DOCUMENT THE TESTING
28
Conducting the
tabletop exercise• Designate a facilitator
(akin to a Dungeon and Dragon game master)
• Facilitator should outline his/her role and responsibilities
o help participants step through the exercise in an organized manner
o ensure the active participation of all team members
o raise difficult questions
o make certain that the IRP is being followed
o verify that any identified issues are documented
• Ask members to introduce themselves and the areas they represent
Have several copies of your organization’s IRP on hand! 29
Conducting the tabletop
exercise…• Describe to the team what your organization intends to
accomplish by conducting an IRP tabletop exercise
• Explain what an example scenario looks like and how
you will walk the participants through the incident
• Describe the role of the scribe(s)
• Choose to begin with either a low-level incident or a
critical-level incident
• Read the scenario to the team and give them a few
minutes to digest the information before proceeding
30
Conducting the tabletop
exercise…• Get the team started by asking them some questions
such as:
o How would you handle this incident?
o Who should the charge nurse notify?
o Who would be notified next?
• Be sure teams adhere to the IRP documents
• During the second scenario, introduce unexpected
variables to throw the team off guard and see how they
handle new, unexpected information
31
Conducting the tabletop
exercise…HOTWASH:
• Summarize the events
• Run through the list of “to-dos’” identified by the team
during the exercise
• Perform a “lessons learned” session
Survey participants:
1. Did you get what you needed?
2. Did everyone in your group participate?
3. What did you learn?
4. What would you change? 32
Documenting the tabletop
exerciseWriting the report is probably the most difficult part of the
tabletop exercise.
• Ensure the scenarios are described and include all the
notes for each scenario, including candid conversations
• Include takeaways and a to-do list, as well as all
associated notes
• Keep the report handy for the next time you conduct a
tabletop exercise, because you will need it to verify that
any required updates were made
33
34
Nadia Fahim-KosterDirector, IT Risk [email protected]
Questions
Kim RoSserSr. Associate, IT Risk [email protected]