Coordinating security response and crisis management planning
By Martin Welsh and Keith Taylor.
Too often information security incident response plans, disaster recovery and business continuity plans are not aligned with the overall corporate crisis management process. Now, more than ever, an organization must be able to quickly respond to a security breach, both from a tactical response and via a strategic corporate message. In this article we will discuss the benefits of, and offer an approach to, integrating the security response process into the overall corporate crisis management plan.
Similar efforts go into building, managing, exercising and maintaining both security incident response plans and overall corporate crisis management plans. For most organizations the escalation, notification and decision making process is similar, regardless of the incident. The struggles organizations encounter, while developing these plans, also tend to be similar. Building awareness, understanding roles and responsibilities, allocating time and resources (financial and human), can all be impediments to sound response plans.
Better plans can be developed by overcoming these shortcomings through integration.Creating a security emergency response team (SERT)
There are two types of SERTS within an organization: a strategic team and a tactical team. The strategic team will focus on the overall direction for the company. The strategic team is notified by the tactical team on every incident and will make a determination whether executive management needs to be notified. If the incident is affecting a large percentage of the company, for example a DDOS attack, the strategic team will be notified and the head of that team will notify executive management.
The strategic SERT team is made up of the following:
The CISO has a role on both the strategic and tactical SERT teams. By being a member of both teams, she/he can report up to the CIO on the progress made combating the incident.
The one group most SERT plans overlook is the business units (BU). That issue leads us back to the topic of this paper, linking the SERT with an organization’s existing crisis management plan. Integrating these two initiatives helps ensure that, not only is executive reporting and management in place, but that the business areas are better prepared to respond to any form of incident or business interruption, be they cyber, man-made or natural.
Within each business unit a director or higher is typically appointed to the strategic team. As the security team within the organization evaluates what and how incidents are happening, the business units then notify the SERT team how the incidents are affecting or impacting the business applications or business processes. Information security may think a particular incident is a Priority-1, but adding the response from the business unit may lead us to better understand that the incident is actually only a Priority -3 or lower. The business units become an integral part of the SERT team and the evaluation process. Considering that most incidents affect a business application, the business unit representatives are the ones best equipped to inform the CIO when the impacted application is functioning correctly again. The business unit representatives also assess and add their value when creating an incident matrix. This incident matrix is used when strategic incidents occur.
An example incident matrix can be seen below:
NOTE - If there is a fast spreading new worm or virus do an immediate callout
During an incident the strategic team typically sets up a conference call as part of a preliminary response. During this conference call each team member will identify themselves. The call will take place within the timeframe allotted. During the initial call the type and potential severity of the incident is identified, including impacted systems and applications. This call helps determine if the incident is spreading within the company. During subsequent calls with the team initial response effectiveness is gauged. If these initial actions aren’t effective the strategic team will change the direction of the tactical team.
Within the strategic team it is important that only one message is being clearly sent to the executive team as well as to the employees. If there is more than the one message this would confuse personnel within the company. Also only executives or identified personnel are allowed to speak to the media if asked about the incident.
It is difficult to create a matrix that will cover all types of incidents but if a SERT team can hold brainstorming sessions with everyone this would be a great help. By doing this we would get direct buy in from the business units instead of working within an IT vacuum, as tends to happen. Once the matrix is created this would be presented to a director level person for approval.
The functions of the strategic team are to:
Once the incident is closed a root cause analysis (RCA) is performed. Key points of this analysis include:
Crisis management plans allow organizations to respond quickly and efficiently to an event. While emergency response deals with evacuation and staff safety, crisis management takes the next step beyond the initial emergency and deals with the escalation and decision making process that executives and operations must utilize to protect the organization at time of incident.
Crisis management provides the means to integrate and coordinate an organization’s overall response. This process links emergency response management to business continuity and disaster recovery and provides companies with:
Recent history is full of stories of organizations that have responded well (think Odwalla Juices) and not so well (Exxon) to business emergencies.
Odwalla, acted quickly, took responsibility, addressed the problem and as an organization rebounded. They spent millions including the recall, process improvements and the largest fine ever assessed by the FDA. Yet, this is an incident that today is not widely talked about or remembered.
Conversely with Exxon the Valdez issue was handled poorly, media communication was poor, clean up was slow as was their acceptance of culpability. This ended up costing Exxon $billions in fines and even more in reputation loss.Pulling it all together
There are similarities in the security response and crisis management plans and linking them will help pull the pieces together to better prepare an organization to respond to an incident: any incident! Integrating information security into the crisis management process, and further into business continuity and disaster recovery, better prepares an organization to respond effectively.Why linking the processes is important
Many organizations let minor incidents turn into major events because their initial response is weak. Delays and confusion at the front end of an issue can allow it to blossom or mushroom into a much worse incident. Don’t let that happen to your organization: link your incident response plans together into comprehensive action plans that pulls in executive, operational, technical and third party support that can quickly respond to any event.
Martin Welsh, CBCP, MBCI, leads the Disaster Recovery and Business Continuity practice at Cognizant, a global provider of IT, consulting, and BPO services.
Keith Taylor, MS, leads the IT Security Professional Services practice at Cognizant. He has over 15 years overall in IT security controls in global security operations and security appliances.
Cognizant retains the copyright for this article.
•Date: 25th October 2013 • World •Type: Article • Topic: ISM