7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
1/22
2011 Co3 Systems, Inc.The information contained herein is proprietary and confidential. Page 1
Cyber Incident Response
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
2/22
Page 2
Agenda
Introductions
Cyber Incident Response The process Tips for getting it right
Todays reality with breaches CSO versus CPO Q&A
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
3/22
Page 3
Introductions: Todays Speakers
Gant Redmon, GC and VP Business Development, Co3 Former CPO of Arbor Networks, Inc. General Counsel for 12 years
Ellen Giblin, Privacy Counsel, Ashcroft Law Firm Internationally-recognized expert in privacy, data breach, data
protection, cyber security, and information management
Privacy Counsel at Littler Mendelson P.C. Privacy Officer for Citizens Financial Group
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
4/22
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
5/22
Page 5
Cyber Incident Response Plans
Every company should develop a written cyber incident responseplan
Not only is it a good idea, some regulations require it The plan should document cyber attack scenarios and define
appropriate responses
The plan should include: Response team Reporting Initial response Investigation Recovery and follow-up Public relations Law enforcement
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
6/22
Page 6
Cyber Incident Response Team
The response team should:
Identify and classify cyber attack scenarios Determine the tools and technology used to detect attacks Develop a checklist for handling initial investigations of cyber
attacks
Determine the scope of an internal investigation once an attackhas occurred
Conduct any investigations within the determined scope Address data breach issues, including notification requirements Conduct follow up reviews on the effectiveness of the company's
response to an actual attack
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
7/22
Page 7
Discovery and Reporting of Cyber Incidents
Define procedures for cyber attack discovery and reporting,including:
Team members who monitor industry practices to ensure that: information systems are appropriately updated; and information systems are instrumented to allow for early
discovery of attacks
A database to track all reported incidents A risk rating to classify all reported incidents (ex. low,
medium, or high) and facilitate the appropriate response
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
8/22
Page 8
Initial Response to a Cyber Attack
Conduct a preliminary investigation to determine whether a cyberattack has occurred
follow the investigation checklist set out in the cyber incidentresponse plan
The initial response varies depending on the type of attack and levelof seriousness. However, the response team should aim to:
Stop the cyber intrusions from spreading further into thecompany's computer systems Appropriately document the investigation
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
9/22
Page 9
Investigating a Cyber Attack
A formal internal investigation may be required depending on: the level of intrusion its impact on critical business functions
An internal investigation allows the company to: Fully understand the intrusion Fotn its chances of identifying the attacker Detect previously-unknown security vulnerabilities Identify required improvements to IT systems
If the company's response team or IT department lacks thecapacity or expertise to conduct an internal investigation the
company may wish to retain: Legal counsel A cyber security consultant
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
10/22
Page 10
Common Cyber Attack Scenarios
Cyber attacks often fall into one or more common scenarios Anticipate and prepare for these common scenarios in advance and
provide preliminary investigatory questions for each
Obtaining fast and accurate answers to these questions helps shapeand expedite the investigation
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
11/22
Page 11
Recovery and Follow-Up After a Cyber Attack
Address the recovery of IT systems by both: Eliminating the vulnerabilities exploited by the attacker and
any other identified vulnerabilities
Bringing the repaired systems back online Once systems are restored:
Determine what improvements are needed to prevent similarincidents from reoccurring
Evaluate how the response team executed the response plan
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
12/22
Page 12
The Role of the CPO in a Breach
Understand the efforts underway by security staff to plug thegaps and restore integrity
Realize that there may be a conflict of interest Know how to align and satisfy all our organizations requirements
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
13/22
Page 13
Suggestions
Working with Security in advance is vital, knowing where thetensions are, and what youll do to resolve them is key to success
Early triage is critical to determining if PI has been exposed
Establish Executive support in advance of a breach for anythingthat may look contentious
Have a clear process that coordinates activities across multiplegroups to ensure an efficient organizational response
Conduct dry runs, simulations or tabletops it will illuminatewhere there are potential issues make sure to test out multiple
scenarios
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
14/22
Page 14
Security and Privacy the Yin and the Yang
CPO-DrivenResponse
Cyber Incidents Cyber breach DDoS Malware, etc.
CISO-DrivenResponse
IT/Security: protect the integrity and continuity of business operations Privacy: protect customers and employees
aligning objectives
PII Exposed
Combined
Response
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
15/22
Page 15
5 Rules for Working With Your CSO
Rule #1: Know Your History The modern day CSO has been around about the same amount
of time as the CPO
The CPO title came about in the mid to late 90s with theadvent of GLB and HIPAA The CSO title (as opposed to the CiSO title) arose after 9/11
with the increased focus on security
The CPO role weakened following 9/11 but has strengthened aspersonal information becomes basis of corporate value
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
16/22
Page 16
5 Rules for Working With Your CSO
Rule #2 Accept Your Co-Dependence Privacy and Security are intertwined. You can have security
without privacy, but you cant have privacy without security
You can promise not to share information, but that doesnt domuch good if any hacker can just steal it Theres no responding to a data breach if you dont know about
it or you cant identify what information has been accessed
IT is generally the real first responder. They are the ER triageof data breach response
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
17/22
Page 17
5 Rules for Working With Your CSO
Rule #3 Empathize with Your CSO CSOs stockpile data. CPOs are minimalist. Show your CSO the
advantages of cleaning house
Data retention policy compliance eDiscovery advantages Less exposure if a breach occurs if there is less sensitive data available
Follow the Data The CSO knows the flow of data within the organization. You need to work with CSO
to understand this flow and do your job
Once you understand the flow of data, you can compare it to the business processthat drives that flow
With an understanding the flow of data and the business process, you can makesuggestions that take into consideration the value proposition of the use of customer
data Many companies see the role of CPO as driving internal process improvement
Privacy can be an unnatural act for the CSO The CSO is charged with protecting the perimeter The CPO may be asking the CSO for holes below the waterline in the perimeter for
purposes of information owner inspection and verification
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
18/22
Page 18
5 Rules for Working With Your CSO
Rule #4 Stop Talking Privacy
Privacy is a loaded word. Its like saying conservative orliberal. Use a word your CSO and others can rally around.
Call it Information Governance Information governance encompasses information management, security,
use, and data strategy
Information governance can refer to a lifecycle: how we createinformation, how we keep it safe and secure and accessible during its
lifecycle, and how we thoughtfully dispose of it
Information governance rings true with the legal department Can refer to data retention and eDiscovery Positions you as a bridge between the GC and CSO GCs didnt go to law school because of their engineering prowess. Give
them a hand
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
19/22
Page 19
5 Rules for Working With Your CSO
Rule #5 Keep Your Head Out of the Boat A CSOs role is largely inward looking. They must protect corporate assets and
keep the system running
The CPOs role is outward facing because they act as the customers' andemployees' advocate within the company
Customer/Client advocacy translates to corporate revenue. Ask yourself whatother department uses this argument to drive change within your organization
The CPO must be business savvy and navigate conflicting interests of businessneeds, customer expectation and legal requirements
If the CPO can prove him or herself to be an ally with management in thebalancing of concerns, then that CPO will be embraced by those above
If the CPO is embraced by the management team, the CPO is more likely to behave a good working relationship with the CSO
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
20/22
Page 20
5 Rules for Working With Your CSO
Bonus Rule #6 Embrace Technology to Improve Processes andEfficiency
CSOs make their career out of using software to improveprocess conversations will go well if you speak their language
CSOs can use software as breach triage as well as forescalating events to the CPO
Using software to diagnose an event makes the outcome andaction plan both objective and quantifiable. These are traits
valued by both the GC and CSO
Build a dashboard. CSOs love them as a way to stay in the loopand remain part of an incident response
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
21/22
2011 Co3 Systems, Inc.
The information contained herein is proprietary and confidential. Page 21
Questions
7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)
22/22
Page 22
Thanks!
Gartner:Co3 define(s) what software
packages for privacy look like.
1 Alewife Center, Suite 450Cambridge, MA 02140
ph: 617.206.3900
www.co3sys.com
1100 Main Street, Suite 2710Kansas City, MO 64105
ph: 816.285.7600
www.ashcroftgroupllc.com/law/
Top Related