You are previewing The Computer Incident Response Planning Handbook: Executable Plans for Protecting Information at Risk.
O'Reilly logo
The Computer Incident Response Planning Handbook: Executable Plans for Protecting Information at Risk

Book Description

Based on proven, rock-solid computer incident response plans

The Computer Incident Response Planning Handbook is derived from real-world incident response plans that work and have survived audits and repeated execution during data breaches and due diligence. The book provides an overview of attack and breach types, strategies for assessing an organization, types of plans, and case examples. Tips for keeping data contained, reputations defended, and recognizing and handling the magnitude of any given threat are included.

The Computer Incident Response Planning Handbook

• Contains ready-to-implement incident response plans with guidelines for ongoing due diligence, all based on actual, working, and tested CIRPs

• Prepares you to immediately build a CIRP for any organization, and keep that plan maintained

• Explains all the essentials involved in developing both data breach and malware outbreak CIRPs derived from tested incident response plans that have survived the rigors of repeated execution

• Clearly explains how to minimize the risk of post-event litigation, brand impact, fines and penalties—and how to protect shareholder value

• Supports corporate compliance with industry standards and requirements like PCI, HIPAA, SOX, CA SB-1386

• All plans derived from the book are technology-agnostic

• Provides supplementary reading to professionals studying for the CERT Certified Computer Security Incident Handler exam or the SANS/GIAC Certified Incident Handler exam (GCIH)

In-depth coverage:

The Latest Cyber Attacks and How They Are Business Killers; The Nebulous Standard of Cyber Due Diligence &. The New Era of Information Risk; Introduction to Planning & Crisis; A Plan is Preparation Manifested; Getting More Out of Your Plans; Developing a Data Breach CIRP – Incident Preparation, Plan Execution, and Post-incident Planning; Developing a Malware Outbreak CIRP – Incident Preparation, Plan Execution, and Post-incident Planning; References

Table of Contents

  1. Cover 
  2. About the Author
  3. Copyright
  4. Contents 
  5. Acknowledgments
  6. Introduction
  7. Part I The Threat Landscape
    1. Chapter 1 Introduction to Planning and Crisis
      1. The Absence of Planning
      2. Key Concepts
        1. The OODA Loop
        2. Fog of War
        3. Friction
        4. Center of Gravity
        5. Unity of Command
        6. Maintaining the Initiative
        7. Tactical, Operational, and Strategic Perspectives
        8. Requirements-Driven Execution
        9. End State
        10. Military Decision-Making Process
      3. A Plan Is Preparation Manifested
        1. Anticipation: Objectives and Requirements
        2. Collaboration: Socialization and Normalization
        3. Research: The Availability of Relevant Information
        4. The Ad Hoc Organization for Time of Crisis
        5. The Value of Documentation
    2. Chapter 2 Cyber Due Diligence in an Era of Information Risk
      1. Regulation
        1. Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999)
        2. The Health Insurance Portability and Accountability Act of 1996
        3. Sarbanes-Oxley Act of 2002
        4. State Breach Requirements
        5. Industry Standards
        6. Federal/State Enforcement
        7. Contractual Enforcement
      2. What Standards?
        1. ISO/IEC 27000 Series
        2. FFIEC
        3. PCI DSS
        4. Service Organization Controls
        5. Shared Assessments
      3. How Do I Know that I’m Doing the Right Thing?
        1. Independent Review
        2. Internal Audit
        3. Tabletop Exercises
      4. How Do I Keep It Up?
        1. COBIT
        2. ISO/IEC 27005 (Information Security Risk Management)
        3. ITIL
      5. Bringing It Together
        1. Top-Down Approval
        2. Values
        3. Policies
        4. Ownership
        5. Procedures and Controls
        6. Measurement and Monitoring
        7. Education
        8. Calendar for Testing Processes and Controls
        9. Independent Review
        10. Internal Oversight
  8. Part II Planning for Crisis
    1. Chapter 3 Getting More Out of Your Plans
      1. Proactively Using Plans During Period of Heightened Risk
      2. Understanding How Your ISOC Works
      3. Building Relationships Outside of IT
      4. Leveraging Your CIRP to Develop Relationships with Law Enforcement
      5. Using Plans to Augment Your Current ERM Efforts
    2. Chapter 4 Writing Your Computer Incident Response Plan
      1. What Problem Are You Solving?
      2. Don’t Bother if You Don’t Have an Executive Sponsor
      3. Using an Advisory Committee: My Plan vs. Our Plan
      4. Understanding Your Audiences
      5. Leveraging the Table of Contents
      6. Plan Introduction
      7. Incident Preparation
      8. Incident Detection, Analysis, and Declaration
      9. Incident Response
      10. Plan Maintenance/Post Incident
      11. Development of an Ad Hoc Organization to Respond to Crisis
  9. Part III Plan Development: Data Breach
    1. Chapter 5 Your Data Breach CIRP: Incident Preparation
      1. Foreword
      2. Plan Introduction
        1. Plan Objective
        2. Plan Scope and Assumptions
      3. Plan Execution and Command Topologies
      4. Plan Structure
        1. Updating and Synchronization
      5. Incident Preparation
        1. Statutory/Compliance Framework
      6. Sensitive Data
        1. PCI Data Map (Encl 1) **RESTRICTED**
        2. ISOC Threat Portfolio (PCI) (Tab B) **RESTRICTED**
        3. PCI Log Data (Tab C)
        4. Third-Party (Payment) Connections (Tab D)
      7. Third-Party Services
        1. PCI Forensic Investigator (PFI)
        2. Identity Protection Services
        3. Compromise Notification Fulfillment
        4. Sources of Precursors and Indicators
      8. Incident Thresholds
        1. Data Threshold
        2. Compromise Threshold
        3. Incident Analysis
        4. Technical Impact
        5. Business Impact
      9. Incident Categories
        1. Priority 1
        2. Priority 2
        3. Non-Actionable/Informational
      10. Incident Declaration
        1. Incident Notification and Mobilization
        2. Incident Documentation
    2. Chapter 6 Your Data Breach CIRP: Plan Execution
      1. Plan Execution
        1. Organization and Roles
        2. Process and Rhythm
      2. Synchronization and Decision-Making
        1. Status Reports
      3. Mandatory Reporting/Notification(s)
        1. Payment Card Industry Data Security Standard (PCI DSS)
      4. Release of “Public-Facing Documents”
        1. Draft/Approve/Release Process
        2. Public-Facing Documents Participants
      5. Evidence Discovery and Retention
        1. Criminal Prosecution
        2. Civil Litigation
        3. Managing Evidence
      6. Liaison with Local Law Enforcement
        1. XYZ Loss Prevention (LE Liaison)
        2. Law Enforcement Points of Contact (POC) (Tab I)
      7. Incident Containment, Eradication, and Recovery
        1. The XYZ (Data Compromise) CIRP SWAT Team
        2. Containment
      8. Eradication and Recovery
        1. Remediation
        2. Compensating Controls
      9. Disaster Recovery/Business Continuity
      10. CIRP Roles and Responsibilities
        1. Human Resources
    3. Chapter 7 Your Data Breach CIRP: Post Incident Planning and Maintenance
      1. Post-Incident Activity
        1. Incident Termination
      2. Plan Maintenance
        1. Overview
      3. Regular Updates
        1. Verification/Updates of Perishable Data
        2. Annual Testing of the Plan
  10. Part IV Plan Development: Malware
    1. Chapter 8 Your Malware Outbreak CIRP: Incident Preparation
      1. Foreword
      2. Plan Introduction
        1. Plan Objective
      3. Plan Execution and Command Topologies
      4. Plan Ownership
        1. Supporting Documentation
      5. Incident Preparation
        1. Isolation Points within the XYZ Enterprise
        2. Business Impact Overlay of Isolation Points
        3. ISOC Threat Portfolio
      6. Third-Party Support Services
        1. PCI Forensics Investigator (PFI)
        2. BXD LongSight Threat Management System
      7. Incident Detection, Analysis, and Declaration
        1. Sources of Precursors and Indicators
        2. ISOC Monitoring Feeds
        3. Field Services Responding to Malware Calls
        4. NOC, Service Desk, and Other Internal Sources of Detection
      8. Incident Threshold
      9. Incident Analysis
        1. Technical Impact
        2. Business Impact
      10. Incident Declaration
        1. Incident Notification and Mobilization
      11. Incident Documentation
    2. Chapter 9 Your Malware Outbreak CIRP: Plan Execution
      1. Plan Execution
        1. Organization and Roles
      2. Operational Sequencing
      3. Operational Priorities
      4. Operational Resources
        1. Synchronization and Decision Making
    3. Chapter 10 Your Malware Outbreak CIRP: Post Incident Planning and Maintenance
      1. Incident Termination
        1. Criteria for Terminating an Incident
      2. Plan Maintenance
        1. Overview
        2. Quarterly Updates
        3. Annual Testing of the Plan
    4. Chapter 11 Closing Thoughts
      1. New Age for InfoSec Professionals
      2. Paradigm #1: The New Consciousness of the Zero-Day Attack
      3. Paradigm #2: The Need for Transparent Due Diligence
      4. Paradigm #3: Consequence-Based Information Security
      5. Paradigm #4: The Constant Challenge of Change
      6. Paradigm #5: While We’re All Focusing on the Silicon-Based Systems, the Bad Guys Are Targeting the Carbon-Based Ones
  11. Part V Appendixes
    1. A Useful Online Resources
    2. B Computer Incident Response Plan (CIRP) Management Checklist
  12. Glossary
  13. Index