request for information cyber security assessment, remediation, and identity ... · importance of...

Request for Information

Cyber‐Security Assessment, Remediation, and Identity Protection, Monitoring, and

Restoration Services

State of Florida

DATE DUE: SEPTEMBER 3, 2015 12 PM EST

Prepared For: Prepared By: State of Florida The Winvale Group LLC Department of Management Services 4050 Esplanade Way, Suite 360 1012 14th Street NW, Fifth Floor Tallahassee, FL 32399‐0950 Washington, DC 20005 Joel Atkinson Steven D. Young Associate Category Manager Director [email protected] [email protected] TEL: 850‐488‐1985 TEL: 202‐534‐1757

State of Florida The Winvale Group

Cyber‐Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services

of 23

September 3, 2015 Joel Atkinson State of Florida 4050 Esplanade Way, Suite 360 Tallahassee, FL 32399‐0950 RE: Response to RFI ‐ Cyber‐Security Assessment, Remediation, and Identity Protection,

Monitoring, and Restoration Services Dear Mr. Atkinson; The Winvale Group, LLC (“Winvale”) and our teaming partner Enterprise Risk Management, Inc. (“ERM”) have provided a comprehensive response for the State of Florida’s Request for Information regarding Cyber‐Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services. This subject matter covers many areas and can be quite comprehensive, and we have attempted to provide you with as much information as possible so you can gain a clear understanding of our capabilities. Pricing for the items noted below and our GSA Schedule 70 contract are available and can be provided upon request. We hope this information will be helpful in formulating a decision. Should you have any questions concerning this response please do not hesitate to call me at 202‐534‐1757. Sincerely, Steven D. Young Director The Winvale Group LLC



of 23

GSA Schedule 70 Information

GSA Schedule 70 Number: GS‐35F‐0074S Full company name: The Winvale Group LLC Business Address: 1012 14th Street NW, Fifth Floor

Washington, DC 20005 Telephone: 202‐296‐5505 Web: www.winvale.com Business size based on NAICS 541511: SMALL Cage Code: 35RS6 DUNS Number: 14‐121‐3871 TaxID Number: 20‐0019673

GSA Schedule 70 Number: GS‐35F‐0417X Full Company Name: Enterprise Risk Management, Inc. Business Address: 800 South Douglas Road, Suite 940N

Coral Gables, FL 33134 Telephone: 305‐447‐6750 Web: www.emrisk.com Business Size based on NAICS 541611: Woman Owned Small Business, SBA Certified Small Disadvantaged business, and SBA Certified 8(a) Firm Cage Code: 5FDC2 DUNS#: 31‐014‐4201 Tax ID: 65‐0827427



of 23

1 Introduction Winvale is strategically partnered with ERM to offer comprehensive Cyber‐Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services to the State of Florida. We can provide a direct and measurable benefit to every Florida organization and affected individual, at the lowest cost and fastest deployment, while ensuring quality and maximizing satisfaction. The solution we’ve proposed most closely meets the objectives laid out by the Federal Information Security Management Act (FISMA), and incident response requirements detailed by US‐Cert/, DHS, and The Privacy Act of 1974. Winvale and ERM offer the State of Florida the unique ability to procure the best cyber‐security support services available. We believe you will find our direct experience in supporting more than 1,000 Federal and State customers with their cyber security, identity management, tracking and fraud monitoring requirements sets us far apart from all other organizations in this space. Winvale was also selected by the US Office of Personnel Management (OPM) to monitor and protect the Credit and Identity of more than 4.2 million former and current federal employees as a result of a recent data breach. We are currently supporting OPM under BPA # OPM3215A0004. With more than 25% of the affected individuals enrolled, our program is being referenced as one the most successful in history.

2 Background The Winvale and ERM offers:

1. The Most Robust Data Breach Response Program in the World: As the exclusive provider of the CSID Platform, Winvale is able to provide the most powerful credit and identity protection services at the highest quality and lowest price to Florida. These items can be found approved on our GSA Schedule 70 under contract number GS‐35F‐0074S. Our Platform serves as the underlying technology used by 9 of the top 10 consumer data breach remediation brands domestically and more than 80% of the retail identity theft providers in the market.

2. Strick Adherence to Organizational Guidelines & Employee Privacy: Unlike consumer oriented brands, Winvale is not a marketing company. As we adhere to strict Federal Privacy Guidelines. This means no additional marketing or solicitation will occur to these individuals without the State of Florida’s explicit request or approval – this is in stark contrast to many breach response providers to utilize breach services as a marketing / lead generation product.

3. Protect Every Affected Individual: Florida has the ability to provide identity protection and resolution services to ALL (meaning everyone, not only those individuals that explicitly take action to enroll) eligible individuals who may be affected by a data breach incident. The harsh reality ‐ that the government cannot afford ‐ is that the majority of your affected individuals will not take action to enroll because they have felt no impact from an exposure; however, if they do experience identity theft events in the future they will need help in restoring their identity and for ongoing monitoring. Winvale will service every affected individual with Full Service Identity Restoration regardless of whether they explicitly enroll in response to a notification process enacted by the State of Florida.



of 23

4. High Quality Service Delivery and Experience: We are uniquely positioned to deliver a credit and identity protection services to the State of Florida due to Winvale’s past performance providing similar solutions to the Office of Personnel Management, Department of Interior, and the United States Coast Guard. Additionally, our team has significant experience in both the public and private sector when it comes to delivering solutions to any size of breach remediation programs. For the State of Florida, we firmly believe that the potential scope, specific requirements, and broad coverage of any remediation program warrant a direct partnership through which we can mitigate many of the pitfalls and hard costs associated with any scale of breach disposition and communication stream.

5. Importance of both Credit and Identity Theft Protection: Credit monitoring is an important part of our solution but the Federal Trade Commission states that credit based identity theft was only 17%. Our Identity Monitoring platform utilizes proprietary technology and is built to address today’s need to protect the digital fingerprint of the individual.

a. 2014 FTC Sentinel Annual Report https://www.ftc.gov/system/files/documents/reports/consumer‐sentinel‐network‐data‐book‐january‐december‐2014/sentinel‐cy2014‐1.pdf

3 Contact Information (company name, phone, email) Winvale will act as Florida’s primary point of contact for correspondence and project management.

Winvale Name: Steve Young Title: Director TEL: 202‐534‐1757 E‐Mail: [email protected]

ERM Name: Mike Sanchez Title: Chief Operating Officer TEL: 305‐447‐6750 E‐Mail: [email protected]



of 23

4 Response to Section IV

4.1 Pre‐Incident Services:

A) Incident Response Agreements

Terms and conditions in place ahead of time to allow for quicker response in the event of a cyber‐security incident. Generally speaking the Terms and Conditions that can govern an Incident Response Agreement could be a combination of the GSA Schedule Terms and Conditions, Florida Terms and Conditions, and our standard “commercial” Terms and Conditions. However, due to organizational policy and security requirements, it may be in the best interest of all parties to negotiate Terms and Conditions that are more specific to the nature of a Cyber Security Incident. Winvale and ERM can provide specific feedback and direction, however, for the purpose of this RFI we have not included any Terms and Conditions.

B) Assessments

Evaluate a State Agency’s current state of information security and cyber‐security incident response capability. STEP I: Enterprise‐wide Information Security Risk Assessment

1. ERM follows a structured methodology to evaluate a State Agency’s current state of information security and cyber‐security incident response capabilities. The first step of this methodology involves performing an enterprise‐wide information security risk assessment.

2. To ensure industry standards and best practices are followed while in the performance of a Risk Assessment, ERM references the NIST family of standards that include but are not limited to NIST SP 800‐30, NIST SP 800‐53 rev 4, ISO 27001/2 and others as appropriate to the engagement. Risk Assessments performed in conjunction with regulatory compliance follow additional evaluation parameters as required by HIPAA, GLBA, FISMA and other regulatory measures.

3. ERM employs both a qualitative and quantitative risk assessment methodology to diversify margin for error between errors of judgment arising from the qualitative approach and numerical valuation errors arising from the quantitative approach which provides a basis that is both dependable and actionable.

4. ERM’s Risk Assessment process includes the following approach: 5. Information Asset Inventory – ERM documents and inventories the organization’s

information assets and categorizes them as critical, essential, and/or normal in compliance with FIPS 199. Classifications are then mapped to the organization’s data classification scheme.

6. Threat Analysis – Threats, threat sources, events, and vulnerabilities are then identified, documented and prioritized by the likelihood of occurrence, severity of impact and risk level.



of 23

7. Controls/Safeguards Analysis – Once threats and risk levels are identified, ERM evaluates the effectiveness of existing security controls and or safeguards to reduce the identified risk levels. Existing security controls are compared against industry configuration standards such as NIST SP 800‐53a rev 4, vendor updates and other vulnerability databases for the control’s security effectiveness and proper use. The review of security controls will consider and include other information security assessments such as vulnerability assessments, penetration tests, and security configuration controls and how these are currently used or not used in reducing the organization’s risk level. In conjunction with ERM guidance, management will then make decisions to accept the risks, reduce/mitigate the risks by developing and implementing controls, transfer the risks (obtain an insurance policy, outsource processing, etc.), and/or avoid the risks.

8. Executive Summary and Technical Report on Findings – Upon completing the assessment, ERM will deliver an official report consisting of an Executive Summary and Technical details which help senior management and stakeholders make decisions on policy, procedures, budget and system operational and management changes. The report describes the threats and vulnerabilities, measures the potential risk, and provides recommendations for remediation and security control implementations.

STEP I OUTCOMES:

1. A clear and concise snapshot of the State Agency’s risk profile vis‐à‐vis the threat landscape it faces.

2. A methodical analysis of controls, safeguards, and countermeasures that the State Agency has at its disposal in order to counteract its threat landscape.

STEP II: Cybersecurity Incident Response Capabilities Assessment

1. Incident Response Gap Analysis – ERM will study the State Agency’s incident response capabilities and maturity in depth including incident response documentation, planning efforts, technical capabilities of the incident response team members, technical sophistication of the organizational infrastructure, and budgetary allocations to incident response. ERM will then map its understanding of the organization’s incident response capabilities against the level of maturity that it deems necessary to be able to ward off incidents in a timely and efficient manner. ERM will take into consideration industry best practices as well as experience with other organizations of a similar size, structure, and industry when performing the gap analysis. ERM will also analyze the State Agency’s industry and identify the magnitude of cyber‐attack threat‐potential faced by the specific industry in the current cyber‐threat landscape.

2. Cybersecurity Incident Response Program Review – ERM will review the Cybersecurity Incident Response Program that a State Agency has in place utilizing the NIST SP 800‐61 guidelines, industry best practices, and ERM’s comprehensive experience in incident response planning and mitigation. ERM will draw upon its experience of working with a vast variety of industry verticals to ensure that an all‐inclusive approach is utilized. ERM utilizes this unique approach because it is often seen that what is a cyber‐security threat in one industry often creeps up in other industries, but with a delay. It is critical to capitalize upon



of 23

this delay and ensure that an organization already factors in these threats in its incident response planning efforts. ERM will perform a thorough review of the program/plan, associated policies, checklists, calling trees, and procedures to ensure that they are robust and capable of protecting the organization in the event of an incident.

3. Incident Response Testing and War Games – ERM will test the State Agency’s incident response program/plan and capabilities to identify if it will stand the test of a real cyber‐attack. Two types of tests are offered by ERM:

4. Incident Response Test Scripts ERM will conduct drills and exercises based on test scripts that ERM professionals will create. ERM will provide detailed guidance to the State Agency per test script scenario/drill and at the same time identify how the State Agency responds in a dummy, tabletop incident scenario. Upon conclusion of these drills and exercises, ERM will provide detailed feedback to the State Agency’s incident response team and document the test results for future use. If deemed necessary, ERM will propose feedback to be incorporated back into the incident response program/plan in order to improve the organization’s incident response capabilities.

5. War Games An ERM team will simulate a real‐time cyber‐attack on the State Agency. Another ERM team will be a part of the State Agency’s incident response team as they attempt to ward off the live attack. Upon completion of the war game scenario, ERM will provide detailed feedback to the State Agency’s incident response team and document the test results for future use. If deemed necessary, ERM will propose feedback to be incorporated back into the incident response program/plan in order to improve the organization’s incident response capabilities.

STEP II OUTCOMES:

1. An in‐depth understanding of the State Agency’s cybersecurity incident response capabilities.

STEP III: Cybersecurity Maturity Determination

1. ERM will finally determine the cybersecurity maturity of the State Agency and classify it under one of the following maturity levels –

2. Below Par – Maturity level is below minimum‐required expectations and fails to meet legal/regulatory recommendations and/or requirements. Further, the organization will most likely be unable to respond appropriately to a cybersecurity incident.

3. Baseline – Maturity level is meets minimum‐required expectations and meets legal/regulatory recommendations and/or requirements. Overall, this maturity level indicates a very basic level of cybersecurity and incident response maturity. Significant improvement is required in order to survive and sustain after a real‐world cyber‐attack or incident.

4. Evolving – Maturity level meets Baseline requirements and additionally goes a few steps above and beyond the minimum‐required expectations and legal/regulatory recommendations and/or requirements. Risk‐driven objectives guide the organization’s



of 23

information security stance and formal chains of command, accountability, and responsibilities are in place. A real‐world cyber‐attack or incident could leave the organization affected but the organization has the capabilities to revive itself, although it may miss a number of it time‐based objectives (such as recovery time objectives).

5. Intermediate – Maturity level meets Evolving requirements and additionally goes several steps above and beyond the minimum‐required expectations and legal/regulatory recommendations and/or requirements. Formal and structured risk management practices, processes, and controls guide the overall information security stance of the organization. Top management support is robust, visible, and documented. Further, cybersecurity goals and objectives are integrated into the overall organizational/business strategy. A real‐world cyber‐attack or incident could cause some minor issues and hurdles for the organization but it will meet all time‐based and goal‐based objectives for recovery.

6. Advanced – Maturity level meets Intermediate requirements and additionally goes much above and beyond the minimum‐required expectations and legal/regulatory recommendations and/or requirements. The organization’s cybersecurity structure is robust with formal processes, practices, and controls guiding the overall information security stance. Formal testing of cybersecurity capabilities with successful test results are the norm. The organization employs a high‐end and state‐of‐the‐art automation in its risk management requirements and goals. A real‐world cyber‐attack or incident will likely not cause significant damage to the organization.

7. Innovative – Maturity level meets Advanced requirements and seamlessly integrates legal/regulatory recommendations and/or requirements. Furthermore, the organization innovates cybersecurity and risk management solutions and technologies in‐house as well in order to produce customized tools to bolster its information security stance. Real‐time threat information sharing is the norm and predictive analytics guide automated responses. A real‐world cyber‐attack or incident will be successfully warded off by the organization.

STEP III OUTCOMES:

1. A precise understanding of the State Agency’s information security and cybersecurity incident response maturity level.

C) Preparation

Provide guidance on requirements and best practices. Regulatory Compliance and Cybersecurity Best Practices Guidance

1. ERM’s experience and expertise in regulatory compliance and standards is an essential highlight of what ERM brings to this project. Our knowledge is both deep and wide covering all the regulations/standards listed below –

a. GLBA b. FACTA c. BSA/AML d. FISMA



of 23

e. NIST f. HIPAA g. HITECH h. FERPA i. PCI DSS j. SOX k. CJIS l. FTI m. ISO 27000 n. FedRAMP o. COBIT p. ITIL q. ERM Framework

2. Our experience in each of these regulations and standards gives us the unique ability to combine information security with regulatory compliance – a meticulous process which requires keeping sight of the bigger picture of balancing highly technical information security requirements with regulatory compliance deadlines and implications, and ultimately amalgamating this under the light of organizational decision making and operational impact.

3. Further, ERM’s experience spanning over seventeen (17) years solely focused on information security projects alone spanning a very wide range of industry verticals will ensure that the guidance you get will be all‐encompassing, comprehensive, and accurate.

D) Developing Cyber‐Security Incident Response Plans

Develop or assist in development of written State Agency plans for incident response in the event of a cyber‐security incident. Data Breach Response Program/Plan Development

1. Organizations should be in compliance with all of the various IT regulatory standards in order to best protect employees, clients, customers, and themselves from the exponentially increasing trend of severely‐damaging data breaches. In order to help State Agencies comply with regulatory requirements such as those of the Federal Information Security Management Act (FISMA), Public Law (P.L) 107‐347, ERM uses the NIST SP 800‐61 rev 2 standards for developing Cyber Incident Response Plans (CIRPs), which is hence consistent with requirements of the Office of Management and Budget (OMB) Circular A‐130, Section 8b(3), Securing Agency Information Systems. The program developed between ERM and the State Agency will meet the Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems, which specifies minimum security requirements for Federal information and information systems, including incident response. The plan will also use, but not be limited to, the OMB Memorandum M‐07‐16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, which provides guidance on reporting security incidents that involve PII.



of 23

2. In order to determine an organization’s incident response capability, an incident response

policy, plan, and procedure for performing various types of responses need to be created. Depending on the type of entity, their size, their need, and a number of other circumstances, there is not a generic CIRP that would fit all conditions. Rather, they must be made specifically for the organization, taking into account numerous factors such as organization’s IR policy, applicable laws, size, technical capability of staff, team structure, resources at hand, etc.

3. There are various key elements that occur in most policies, plans, and procedures. Along with CIRP development, proper mitigation tactics should be considered in order to prevent these attacks. This includes network, system, and application assessments, training and testing of all staff on how to detect signs of breaches, and having proper system administration, network administration, programming, technical support, and technical support on hand.

4. The CIRP will address the following aspects, although these will vary in size and content depending on the organization:

Roles and Responsibilities to Coordinate the CIRP Effort – Incident Response Team(s) as well as their roles, responsibilities, and services for before, during and after events will be defined. An assessment of current versus needed competencies will be performed. The assessment will also indicate what type of training, if any, is needed to bring competencies up to the desired model. Other groups within the organization will be identified, including management, information assurance, IT support, legal, public affairs, human resources, facilities management, and outside resources who may be able to provide their expertise, judgment, and abilities to assist in the response. Communication standards within the organization will also be developed. Events/Incidents Classification, Prioritization, and Communication – When an incident is detected, a number of actions should follow to ensure proper mitigation. After potential events are identified, they are then classified to include the specification of what type of event/incident must be reported and the specific courses of action as prescribed by applicable regulation and/or law. In addition, guidelines will be written for prioritization/ranking the severity of organization‐specific incidents such that timely and appropriate response is made, limiting damage and downtime of an organization. Lastly, the communication and necessary escalation processes for non‐responsive individuals will be developed to ensure timely notification to the appropriate parties, such as upper‐management, law enforcement, and outside resources.



of 23

Containment, Eradication, and Recovery – This will provide detailed steps for responding to various types of incidents, including how to contain/eliminate threat, recover the systems, and preserve evidence in a manner that does not compromise the breach investigation. This includes how to handle incidents that use common attack vectors such as external/removable media, attrition, web, email, improper usage, loss or theft of equipment and other attacks/incidents. This section will also specify when a forensic investigation is required and the proper process for evidence collection and documentation, including the type of storage media that will house the information. Sharing Information with Outside Parties – For the vast majority of incidents, the organization will need to communicate with outside parties in some fashion or another. This section will detail how to manage communication with third parties such as media, vendors, other responders, customers, and stakeholders. Additionally, law enforcement should be contacted and the contact information of the related law enforcement agencies. Notification and Reporting – This section will detail the organization’s process for compliance with notification and reporting requirements pertaining to affected persons, agencies, and authorities. Additionally, this section will address requirements to mitigate risk to affected persons, such as the provision of credit‐monitoring services. These requirements vary by type of incident, state, and country. Additionally, Federal agencies must comply with the recommendations of OMB Memorandum M‐07‐16. Incident Documentation – This section will detail how incident cases need be documented and documentation templates will be provided. This includes Chain of Custody and other specialized incident response / forensics forms. Post‐Incident Activity – One of most critical elements of a CIRP is conducting a post‐incident exercise. During this part of the process, the CIRP team must explain and report what they have learned during the investigation. Additionally, as necessary, they need to specify what areas of the CIRP and the organization as a whole must be improved as a result of the incident. ERM will detail how this meeting should be conducted as well as documented. Testing the CIRP – Once a year, ERM will perform a test of the CIRP and all associated documents to evaluate the Plan’s effectiveness and accuracy, identify areas for improvement, and implement necessary updates.



of 23

E) Training

Provide training for State Agency staff from basic user awareness to technical education. Information Security Awareness Training

1. People have long been referred to as the weakest link in information security. Your people don’t have to be! The fundamental problem with existing security awareness products, programs, and training offerings in the market today is that employees often complain that they are boring and not engaging.

2. ERM has devised a unique method of security awareness training to change the way security awareness training is done. ERM believes that the modern‐day employee is like a customer who needs to be “sold” the concept of security awareness in an engaging and involving manner. If employees taking security awareness training are convinced and feel a sense of ownership, they then become the “human firewalls” who will protect their organization.

Whiteboard Animation Security Awareness Videos

1. ERM’s whiteboard animation security awareness videos are an innovative alternative to otherwise boring security awareness training products available in the market today. One of the things arguably all of us learned as children was to pick up a pencil and draw – and did we not enjoy that!

2. ERM uses the whiteboard animation technique to drive points home about information security prudence, responsible behavior, and overall information security awareness on issues and topics that employees may not be aware of. Our whiteboard animation videos are perfect even for employees who are in a position of authority and decision‐making such as Senior Management Team Members. The videos are short (no more than 4‐5 minutes each) and so they’re great in terms of retaining attention while at the same time driving the point home effectively.

3. To take a look at what we’re really talking about, you can view some example videos at www.emrisk.com/videos where you will find whiteboard animation videos from our security awareness drive. Additional actual awareness videos created for clients can be shared as well upon request. Customized videos bear the look‐and‐feel, culture, and overall character of an organization and so can garner greater involvement and engagement from employees.



of 23

Security Awareness Newsletters 1. ERM’s team of experts will create monthly or weekly newsletters for clients who wish to

provide these to employees as part of a comprehensive security awareness drive. Readers of ERM’s whitepapers, articles, and newsletters will know that they are engaging in nature and make an interesting read. Our goal in creating these newsletters is to provide employees a very short one‐page newsletter highlighting security issues, hot topics, current affairs, precautions, and pretty much anything under the sun that is critical to know given the most current cyber‐security threat landscape. The short, engaging, and informal tone of these newsletters will ensure that employees look forward to reading these and gaining security awareness insights from them.

On‐Site Live Training

1. ERM also provides live training seminars to audiences of all sizes and compositions. Topics for such training sessions are agreed in conjunction with the organization’s management and decision makers. These training sessions are not typical and will include games like passing the parcel and quiz competitions to make them engaging, fun, and interesting.

Incident Response Training

1. In addition to information security awareness training, ERM also provides incident response training and conducts awareness efforts directed at organizational employees, both technical and non‐technical, in order to help them understand how to recognize anomalous behavior, escalation procedures and mechanisms, calling trees, and specific legal and organizational reporting requirements for suspected/potential security breaches. Results from drills, exercises, and war games can be tied back into these awareness efforts.

4.2 Post‐Incident Services:

A) Breach Services Toll‐free Hotline

Provide a scalable, resilient call center for incident response information to State Agencies. Full‐Service Identity Restoration – Winvale will provide a scalable, resilient, domestic call center(s) with a unique toll‐free number to access our Customer Service/Fraud Resolution Representative to assist affected individuals with enrollment, program/product questions, and problems associated with fraud and identity theft. If the affected individual is outside the US, we have the ability to accept international and collect calls. Winvale will provide a certified identity theft restoration specialist to all eligible individuals affected by a breach event, regardless of whether they explicitly enroll in a proactive identity monitoring service. For individuals who become a victim of identity theft, we provide a full‐service team of Certified Identity Theft Restoration Management Specialists to restore the affected individual’s identity to a pre‐victim status. Through a Limited Power of Attorney (LPOA), a Restoration Specialist is able to work on



of 23

the individual’s behalf, saving them the time, effort, and lack of experience in working with lenders, bureaus, state and county courts, etc. The result is a fundamentally full‐service approach for our activated persons and one that mitigates more than 300 hours of time for the average victim of identity theft. Our identity theft restoration specialists are Fair Credit Reporting Act (FCRA) certified and Fair and Accurate Credit Transactions Act (FCTA) certified by the Consumer Data Industry Association. They are also certified by The Institute of Fraud Risk Management as Certified Identity Theft Risk Management Specialist. Our team’s Director of Member Services is a Certified Call Center Professional from Purdue University's College of Call Center Excellence

B) Investigation/Clean‐up

Conduct rapid evaluation of incidents, lead investigations and provide remediation services to restore State Agency operations to pre‐incident levels. GOAL 1: To conduct rapid evaluation of incidents, lead investigations and provide remediation services to restore State Agency operations to pre‐incident levels. ERM creates and maintains procedures and guidelines for performing forensic tasks, based on the ERM’s policies and all applicable laws and regulations. This forensic process adheres to and complies with the NIST SP 800‐86 standard, and is summarized below. In the event of a data breach incident or cyber security attack, ERM security consultants will implement the following generalized steps, working alongside designated State Agency personnel: Pre‐Investigation:

1. Team Activation – ERM has designated roles and responsibilities to their IT Professionals for various circumstances, although each case may require addition or modification of these roles and personnel, even during the forensic process. If necessary, ERM will activate a central Critical Incident Response Program team and distribute CIRP teams to provide assistance from distant locations, guided by ERM’s and the effected organization’s CIRP. ERM will help identify specific technical resources and secure storage facilities required to respond to the incident. ERM will identify methods of communication and issue‐tracking by team members.

2. Containment Strategy – Depending on the nature of the incident, ERM will propose a method to contain the incident before it overwhelms resources, compromises evidence, or increases damage. If the organization has already performed incident response, depending on the case, ERM may have evaluate that the threats have completely been removed using various forensic techniques. This will be accomplished in a manner such that the scene is disturbed as little as possible. If the scene or evidence must be changed for preservation or for safety, all details will be formally documented such as when it was changed, who performed this change, why it was performed, etc.



of 23

3. Legal Framework & Compliance – As information emerges pertaining to the nature and scope of the breach, ERM consultants will work with designated counsel to ensure the response is guided within the framework of all applicable rules, regulations, and laws. If additional information is discovered during the forensics process that requires legal attention, this will be reported and parties will be contacted as necessary.

4. Documentation – ERM has established protocols to ensure that each team member is documenting events, steps, and evidence properly (e.g. time‐stamping and signing documents) and reporting them to a central incident handler. Chain of custody documents, evidence lists, and other procedures will be implemented and enforced. In preparation to comply with notification and reporting requirements, a key focus will be on developing a detailed database of affected persons, along with what types of information were compromised for each. All other evidence and information found at the scene will be forensically documented accordingly. ERM forensic experts will maintain detailed documentation throughout the entire investigation process. This includes all steps used for the investigation, all tools used, all commands performed on datasets, etc. A metric for success of the documentation would be if the report were to be given to another investigator, they will produce the exact same evidence and analysis information as the original investigator. This will allow for the process to be forensically sound, and be able to be presented in a court of law with minimal opposition.

5. Incident Detection & Analysis – ERM will verify the nature and scope of the breach. Evidence gathering and handling protocols will adhere to practices and standards required in legal proceedings. This includes storage of sensitive information in secure locations, both physically and on our internal, secure servers and storage media. Because incidents can occur in countless ways, it is not feasible to develop step‐by‐step instructions for every event. In fact, many steps may need to be repeated or rearranged when new information is discovered. ERM’s forensic methods and procedures include:

Collection:

1. Evidence Identification ‐ During this phase, the forensic examiner will acquire as much information about the case as possible, prior to making any actions. The examiner will determine all sources of evidence/information, how to forensically acquire them, help determine what items may impede the investigation, prepare the forensics team’s plan of action, and brief all parties and teams of their roles and planned events. Various factors determine the order of collection, or even if collection is necessary, such as likely value, volatility, and resources required. Four major data sources include files, operating systems, network traffic and applications, although this information can reside in many different states on many different devices. If any anti‐forensics methods are suspected, these will be dealt with accordingly. All identification and collection procedures adhere to NIST standards.

2. Evidence Acquisition and Collection ‐ During this phase, the forensic examiner will proceed with steps addressing the forensic collection of the original evidence, the documentation and preservation of the collected evidence, and the secure storage and safeguarding of all evidence. All evidence is collected in a way that supports its use in future legal or internal



of 23

disciplinary proceedings. Chain of custody paper/electronic records are extremely important as it is used to prove unbroken control of evidence from seizure to court to destruction/release. It is often the case for opposition to use chain of custody to challenge seized evidence, further weakening or eliminating evidence from consideration at trial. The chain of custody will need to apply to original, copies, and derivative evidence. ERM experts will maintain chain of custody documentation coupled with hash values of the imaged data to ensure that the integrity of the data is always intact and can be proven as such in a court of law. A hash value of the image is used to verify the integrity of the data ‐ that the image is indeed an exact copy of the original evidence. At the end of the analysis stage, the forensic expert attempts to create a timeline of events that can serve as a foundation for investigation.

Examination/Analysis:

1. Examination Design – ERM resources will create a proper examination design plan that will include the examination goal statement, individual roles, tool selection criteria, reference to procedures on application of toolsets, the data selection/rejection criteria, and the format of outputs and related conventions. During the examination design, the examiner will determine where and how to look for the criteria items within the evidence. Additionally, the examiner will select proper tools and decide on the data harvesting techniques that will be utilized for the particular case. Proper revision process on the results and comparison to the original goals will be included.

2. Examination and Analysis Execution – ERM will proceed with the examination and analysis on a forensic copy of the evidence using various approved tools and techniques. These are expressed in more detail in the NIST 800‐86 standards document, although the process will include the following steps: a. Data recovery – Steps are taken to find any latent information and restoring its context.

This includes “data carving”, bypassing passwords and anti‐forensics measures, etc. in order to help determine information about the breach.

b. Data reduction – eliminates proven non‐significant data from being analyzed. c. Data identification – proceeds with finding data that meets the scope criteria. d. Data search – performs relative string searches on identified data sets and other

methods of finding specific pieces of data. e. Reconstruction – proceeds with reconstructing key elements such as actual timeline

retrieval and analysis, any log file correlations, and any additional or supplemental layer analysis.

f. Content analysis – proceeds with analyzing any other content that relates to the case. The digital forensics expert analyzes the evidence in a legally justifiable manor to determine the sequence of events, causes of breach, probability and risk associated with breached information, and any other useful information to the case. This analyst will determine from the circumstances surrounding the breach and the evidence collected to help determine if the breach was incidental, accidental, or targeted.



of 23

g. Field Investigation – This section involves investigative work to address the non‐technical aspects of the investigation. ERM’s experienced data breach investigators coordinate with the technical team and appropriate agency personnel to identify procedural and/or criminal activity that led to the incident. This work involves techniques including, but not limited to, background investigations, interviews, physical evidence acquisition and examination etc. The effort is typically coordinated with the Human Resources, Legal Counsel and Security as necessary. These parties consult to identify whether the incident should be/must be reported to law enforcement or others. ERM can coordinate with local, state and federal authorities as necessary.

C) Incident response

Provide guidance or technical staff to assist State Agencies in response to an incident. GOAL 1: To provide guidance or technical staff to assist State Agencies in response to an incident. Reporting ‐ Upon completion of the analysis, ERM will use a detailed documentation methodology that is followed by standard industry practitioners. ERM will manage resources and adjust accordingly to fit time any time limits stated. The report can be tailored to various types of audiences and formats, although a full report, suitable for a court of law, will be produced. Reports will be provided to the ordering agency that include aggregate information about responses in order to allow the ordering agency to address the media and present to other agencies as needed. ERM will prepare a formal and final report summarizing the findings. Furthermore, the results of the findings will be presented to management with a formal presentation if deemed necessary. The report will be considered a legal document, and will be clear, concise, and logical providing the results of the forensic exam from a summary perspective. The report will include annotations to significant steps and outcomes and provide pertinent output. The report will also contain a narrative of events, date, time, location of the incident, type of information that was lost or compromised, assessment of the likelihood that the information was compromised or lost and reasons, likelihood that the information compromised can be recovered, information for persons involved including victims, contractors, witnesses, and potential attackers, actions that need to follow the incident, cause of the incident, how to mitigate current breach, and recommendations for preventing future breaches. If a definitive conclusion cannot be reached based on the evidence provided, various plausible scenarios will be provided. As part of the reporting process, analysts will identify any problems that may need to be remedied, such as policy shortcomings or procedural errors. Analysts will take steps to maintain and grow their current skills, including being aware of current technological changes that may affect the forensics discipline. Based on the breached data, ERM’s partner, CSID will look for evidence of organized misuse as it is being imported into their system. Sanitation ‐ Upon completion of the case, or when instructed to do so, ERM will forensically sanitize all data from all stored devices, thus eliminating any chance for misuse. This process will be formally documented. Hash values of all collected evidence and sub‐evidence will be stored so as to maintain chain of custody, although this data does not contain any user information.



of 23

D) Mitigation Plans

Assist State Agency staff in development of mitigation plans based on investigation and incident response. Assist State Agency staff with incident mitigation activities. GOAL: To assist State Agency staff in development of mitigation plans based on investigation and incident response and to assist State Agency staff with incident mitigation activities. Real‐Time Incident Response

1. ERM’s rapid responders are available to ward off live security incidents whether the requirement is on‐site or remote. Our rapid responders will expeditiously analyze the level of threat and assess the potential risks faced by the State Agency from the ongoing cyber‐attack. ERM’s rapid responders will then quickly commence incident containment efforts in order to ensure that the current risk from the incident is contained and that the potential residual risk is minimized. Containment provides time for developing a tailored remediation and eradication strategy. ERM will then move towards implementing this remediation and eradication strategy.

2. ERM’s forensic experts will perform detailed, ongoing and post‐incident digital forensic analyses and examinations on incident‐impacted networks, servers, hard‐drives, devices, and any other impacted media capable of holding information (including mobile devices and printers). ERM will also perform a detailed data flow inquiry to identify what other areas of the organization’s technical infrastructure may have been impacted by the incident or may be the next potential target(s). ERM’s forensic experts will ensure that all forensic evidence is gathered with a meticulous chain of custody and diligent documentation such that these can be presented in a court of law if needed. Gathered and carefully preserved digital evidence will also be utilized for future forensic analysis if needed. ERM will also perform comprehensive forensic analyses to determine the cause of the incident, the possible perpetrators, data recovered, and data lost.

Remediation and Mitigation

1. Incident Evaluation – ERM will evaluate all the information collected during the incident response process to identify areas of security weaknesses of the organization that permitted the incident to occur.

2. Incident Remediation – ERM consultants will develop a remediation plan which will include comprehensive security tests within the organization to reveal deeper security problems that need to be addressed. The assessment will include security configuration reviews, vulnerability testing, penetration testing, web application security assessment, social engineering experiments, among others.

3. Security Remediation Plan – ERM consultants will combine the findings of the incident response investigation and the comprehensive security assessments to create a security remediation plan. The plan will address different areas such as additional hardware, software, logical control implementations, physical security, policies, procedures and security training and awareness programs.



of 23

4. Security Remediation Implementation – ERM consultants will assist the organization with the remediation and implementation of the necessary security measures that will correct existing problems and mitigate other potential future security issues.

Regulatory Compliance

1. A wide variety of regulations and standards such the Gramm‐Leach‐Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes Oxley Act (SOX), the Critical Infrastructure Protection (CIP) guidelines, the Payment Card Industry Data Security Standard (PCI DSS), FISMA/FedRAMP, the ISO 17799/27002 standard, CoBIT, to name a few, either directly or indirectly require that organizations enable a robust incident response capability that is regularly reviewed, kept up‐to‐date, and tested on an ongoing basis with documented results. ERM will work with the State Agency to guide key personnel on how to comply with regulatory requirements and facilitate a regulator audit as it related to the incident response domain, and how to utilize and connect artifacts from various departments in order to provide the regulator with a concise and organized view of the organization’s incident response capabilities.

2. In addition, ERM will also help the State Agency in planning, drafting, and facilitating documents that can help the client organization comply with the notification requirements of various Federal and State laws such that in the event of customer information disclosure, the State Agency can leverage these documents to notify customers, applicable law enforcement agencies, and other key stakeholders. ERM will also guide the State Agency’s internal team on the who, what, when, how, why, and where of incident notification.

Operational Assistance A critical component of incident response is the non‐technical aspect. Every security incident brings with it several potential liabilities, legal obligations, notification requirements, key stakeholder communications, and operational logistics. ERM’s team will work with the State Agency in facilitation of each of these aspects and ensuring a smooth transition from incident to post‐incident and from post‐incident to normal operations. ERM ensures immaculate handling of incidents at an operational level in order to ensure that the monetary impact of an incident, both actual and potential, are minimized. Expert Witness and Court Testimony ERM’s experts will be available to the State Agency in the event that the State Agency needs ERM to provide expert witness testimony and formally present forensic evidence in a court of law. Post‐Incident Response ERM will facilitate a “lessons learned” meeting with all key stakeholders in the incident response chain as well as top management. These meetings may be held periodically after the incident if the client wishes. ERM will also adjust the incident response program, policies, and procedures to incorporate the lessons learned.



of 23

E) Identity Monitoring, Protection, and Restoration

Provide identity monitoring, protection, and restoration services to any individuals potentially affected by a cyber‐security incident. Enrollment and assessment method

1. By a unique and secure web domain and/or by US Mail 2. Winvale can provide the government with mail notifications templates that outline the

privacy event, the product and services offered, product enrollment methods, enrollment time frame, and a unique 1‐800 number affected members can call to access identity restoration services. We utilize an enterprise‐level email marketing platform that is capable of sending over thousands of email messages per hour as well as managing and tracking read receipts. The platform has pre‐established data breach notification email that have been prepared by our general counsel to which we can incorporate State of Florida‐approved language on Government letterhead. We can also provide enrollment by US Mail to affected individuals, which features a Rapid Deployment Hub, an internal Mailroom for ingestion and data capture, LiveData Retrieval Solutions, and National Change of Address (NCOA) database research.

Single Bureau or Tri‐Bureau Credit Report Access and Monitoring

1. Perform credit file authentication of identity of the individuals enrolling in the Services. This includes a series of "out of wallet" questions only the owner of the identity can complete. To notify the individual of suspicious activity or changes to their credit file on one or all three credit bureaus, to include the opening of credit accounts, credit inquiries, name and/or address changes.

2. Winvale/CSID can provide access to Single and Tri bureau credit reports and monitoring alerts for the affected individual, on a daily basis, regarding bankruptcy petitions, liens and judgments, derogatory comments, new credit accounts, credit inquiries, and similar related activity, optimized to deliver alerts that are indicators of fraud or identity theft.

Social Security Number Monitoring

1. To notify the individual of suspicious activity on their social security number. 2. A Social Security number is one of the primary elements stolen by identity thieves. Winvale

provides notification of all current and new names and aliases associated with a SSN. Detection of both synthetic identity fraud and true name identity fraud is included in the report as well as a mapped view providing them with a location of all identities.



of 23

CyberAgent® Internet Surveillance 1. To notify the individual of suspicious activity linked to their online accounts 2. Automated monitoring of public and private criminal Internet properties and alerts if the

affected individual’s information is being illegally traded or sold online within the Dark Web, including SSN’s, bank accounts, email addresses, medical ID numbers, driver’s license numbers, passport numbers, credit and debit cards, phone numbers, and other unique identifiers.

PayDay Loan Monitoring (non‐credit)

1. To notify the individual of fraudulent short‐term loans taken out under their name 2. Monitors short‐term, high‐interest payday loans that do not require credit inquiries to alert

an individual if any of these quick cash loans have been taken out in their name. Court, Criminal, and Probation Records Monitoring

1. To notify the individual of fraudulent public records under their name 2. Monitors Court, Criminal, and Probation Records to alerting an individual to any Court

Records associated with their identity. Arrest and Bookings Alerts

1. To notify the individual of fraudulent arrest records under their name 2. Monitors for criminal arrests and bookings reported by law enforcement that match an

individual’s identity. Change of Address Monitoring

1. To notify the individual of fraudulent mailing addresses registered to their name 2. Monitors the National Change of Address database to alert an individual if someone has

rerouted their mail. Sex Offender Monitoring

1. To notify the individual if a registered sex offender has registered under their name 2. Monitors the sex offender registries to alert an individual if a Sex Offender has falsely

registered using their personal information including name and address. Social Network Monitoring

1. To notify the individual of objectionable content associated to their social network accounts 2. Monitors the privacy settings for social networks to alert of exposure of sensitive

information as well as proactive monitoring of social network content associated with the individual that may be objectionable or damaging.



of 23

Identity Theft Insurance The Winvale/CSID Platform provides the most comprehensive Identity Theft Insurance policy available. The policy will reimburse affected individuals for expenses associated with restoring their identity should they become a victim of identity theft. If a Covered Person’s identity is compromised, insurance coverage provides for up to $1,000,000, with $0 deductible, from an A.M. Best “A‐rated” carrier, subject to the terms of the policy.

request for information cyber security assessment, remediation, and identity ... · importance of...

Documents