| |
| |
| Acknowledgments | |
| |
| |
| Introduction | |
| |
| |
| |
| The Threat Landscape | |
| |
| |
| |
| Introduction to Planning and Crisis | |
| |
| |
| The Absence of Planning | |
| |
| |
| Key Concepts | |
| |
| |
| The OODA Loop | |
| |
| |
| Fog of War | |
| |
| |
| Friction | |
| |
| |
| Center of Gravity | |
| |
| |
| Unity of Command | |
| |
| |
| Maintaining the Initiative | |
| |
| |
| Tactical, Operational, and Strategic Perspectives | |
| |
| |
| Requirements-Driven Execution | |
| |
| |
| End State | |
| |
| |
| Military Decision-Making Process | |
| |
| |
| A Plan Is Preparation Manifested | |
| |
| |
| Anticipation: Objectives and Requirements | |
| |
| |
| Collaboration: Socialization and Normalization | |
| |
| |
| Research: The Availability of Relevant Information | |
| |
| |
| The Ad Hoc Organization for Time of Crisis | |
| |
| |
| The Value of Documentation | |
| |
| |
| |
| Cyber Due Diligence in an Era of Information Risk | |
| |
| |
| Regulation | |
| |
| |
| Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999) | |
| |
| |
| The Health Insurance Portability and Accountability Act of 1996 | |
| |
| |
| Sarbanes-Oxley Act of 2002 | |
| |
| |
| State Breach Requirements | |
| |
| |
| Industry Standards | |
| |
| |
| Federal/State Enforcement | |
| |
| |
| Contractual Enforcement | |
| |
| |
| What Standards? | |
| |
| |
| ISO/IEC 27000 Series | |
| |
| |
| FFIEC | |
| |
| |
| PCI DSS | |
| |
| |
| Service Organization Controls | |
| |
| |
| Shared Assessments | |
| |
| |
| How Do I Know that I'm Doing the Right Thing? | |
| |
| |
| Independent Review | |
| |
| |
| Internal Audit | |
| |
| |
| Tabletop Exercises | |
| |
| |
| How Do I Keep It Up? | |
| |
| |
| COBIT | |
| |
| |
| ISO/IEC 27005 (Information Security Risk Management) | |
| |
| |
| ITIL | |
| |
| |
| Bringing It Together | |
| |
| |
| Top-Down Approval | |
| |
| |
| Values | |
| |
| |
| Policies | |
| |
| |
| Ownership | |
| |
| |
| Procedures and Controls | |
| |
| |
| Measurement and Monitoring | |
| |
| |
| Education | |
| |
| |
| Calendar for Testing Processes and Controls | |
| |
| |
| Independent Review | |
| |
| |
| Internal Oversight | |
| |
| |
| |
| Planning for Crisis | |
| |
| |
| |
| Getting More Out of Your Plans | |
| |
| |
| Proactively Using Plans During Period of Heightened Risk | |
| |
| |
| Understanding How Your ISOC Works | |
| |
| |
| Building Relationships Outside of IT | |
| |
| |
| Leveraging Your CIRP to Develop Relationships with Law Enforcement | |
| |
| |
| Using Plans to Augment Your Current ERM Efforts | |
| |
| |
| |
| Writing Your Computer Incident Response Plan | |
| |
| |
| What Problem Are You Solving? | |
| |
| |
| Don't Bother if You Don't Have an Executive Sponsor | |
| |
| |
| Using an Advisory Committee: My Plan vs. Our Plan | |
| |
| |
| Understanding Your Audiences | |
| |
| |
| Leveraging the Table of Contents | |
| |
| |
| Plan Introduction | |
| |
| |
| Incident Preparation | |
| |
| |
| Incident Detection, Analysis, and Declaration | |
| |
| |
| Incident Response | |
| |
| |
| Plan Maintenance/Post Incident | |
| |
| |
| Development of an Ad Hoc Organization to Respond to Crisis | |
| |
| |
| |
| Plan Development: Data Breach | |
| |
| |
| |
| Your Data Breach CIRP: Incident Preparation | |
| |
| |
| Foreword | |
| |
| |
| Plan Introduction | |
| |
| |
| Plan Objective | |
| |
| |
| Plan Scope and Assumptions | |
| |
| |
| Plan Execution and Command Topologies | |
| |
| |
| Plan Structure | |
| |
| |
| Updating and Synchronization | |
| |
| |
| Incident Preparation | |
| |
| |
| Statutory/Compliance Framework | |
| |
| |
| Sensitive Data | |
| |
| |
| PCI Data Map (End DERESTRICTED** | |
| |
| |
| ISOC Threat Portfolio (PCI) (Tab B) "RESTRICTED** | |
| |
| |
| PCI Log Data (Tab C) | |
| |
| |
| Third-Party (Payment) Connections (Tab D) | |
| |
| |
| Third-Party Services | |
| |
| |
| PCI Forensic Investigator (PFI) | |
| |
| |
| Identity Protection Services | |
| |
| |
| Compromise Notification Fulfillment | |
| |
| |
| Sources of Precursors and Indicators | |
| |
| |
| Incident Thresholds | |
| |
| |
| Data Threshold | |
| |
| |
| Compromise Threshold | |
| |
| |
| Incident Analysis | |
| |
| |
| Technical Impact | |
| |
| |
| Business Impact | |
| |
| |
| Incident Categories | |
| |
| |
| Priority 1 | |
| |
| |
| Priority 2 | |
| |
| |
| Non-Actionable/Informational | |
| |
| |
| Incident Declaration | |
| |
| |
| Incident Notification and Mobilization | |
| |
| |
| Incident Documentation | |
| |
| |
| |
| Your Data Breach CIRP: Plan Execution | |
| |
| |
| Plan Execution | |
| |
| |
| Organization and Roles | |
| |
| |
| Process and Rhythm | |
| |
| |
| Synchronization and Decision-Making | |
| |
| |
| Status Reports | |
| |
| |
| Mandatory Reporting/Notification(s) | |
| |
| |
| Payment Card Industry Data Security Standard (PCI DSS) | |
| |
| |
| Release of "Public-Facing Documents" | |
| |
| |
| Draft/Approve/Release Process | |
| |
| |
| Public-Facing Documents Participants | |
| |
| |
| Evidence Discovery and Retention | |
| |
| |
| Criminal Prosecution | |
| |
| |
| Civil Litigation | |
| |
| |
| Managing Evidence | |
| |
| |
| Liaison with Local Law Enforcement | |
| |
| |
| XYZ Loss Prevention (LE Liaison) | |
| |
| |
| Law Enforcement Points of Contact (POC) (Tab I) | |
| |
| |
| Incident Containment, Eradication, and Recovery | |
| |
| |
| The XYZ (Data Compromise) CIRP SWAT Team | |
| |
| |
| Containment | |
| |
| |
| Eradication and Recovery | |
| |
| |
| Remediation | |
| |
| |
| Compensating Controls | |
| |
| |
| Disaster Recovery/Business Continuity | |
| |
| |
| CIRP Roles and Responsibilities | |
| |
| |
| Human Resources | |
| |
| |
| |
| Your Data Breach CIRP: Post Incident Planning and Maintenance | |
| |
| |
| Post-Incident Activity | |
| |
| |
| Incident Termination | |
| |
| |
| Plan Maintenance | |
| |
| |
| Overview | |
| |
| |
| Regular Updates | |
| |
| |
| Verification/Updates of Perishable Data | |
| |
| |
| Annual Testing of the Plan | |
| |
| |
| |
| Plan Development: Malware | |
| |
| |
| |
| Your Malware Outbreak CIRP: Incident Preparation | |
| |
| |
| Foreword | |
| |
| |
| Plan Introduction | |
| |
| |
| Plan Objective | |
| |
| |
| Plan Execution and Command Topologies | |
| |
| |
| Plan Ownership | |
| |
| |
| Supporting Documentation | |
| |
| |
| Incident Preparation | |
| |
| |
| Isolation Points within the XYZ Enterprise | |
| |
| |
| Business Impact Overlay of Isolation Points | |
| |
| |
| ISOC Threat Portfolio | |
| |
| |
| Third-Party Support Services | |
| |
| |
| PCI Forensics Investigator (PFI) | |
| |
| |
| BXD Long Sight Threat Management System | |
| |
| |
| Incident Detection, Analysis, and Declaration | |
| |
| |
| Sources of Precursors and Indicators | |
| |
| |
| ISOC Monitoring Feeds | |
| |
| |
| Field Services Responding to Malware Calls | |
| |
| |
| NOC, Service Desk, and Other Internal Sources of Detection | |
| |
| |
| Incident Threshold | |
| |
| |
| Incident Analysis | |
| |
| |
| Technical Impact | |
| |
| |
| Business Impact | |
| |
| |
| Incident Declaration | |
| |
| |
| Incident Notification and Mobilization | |
| |
| |
| Incident Documentation | |
| |
| |
| |
| Your Malware Outbreak CIRP: Plan Execution | |
| |
| |
| Plan Execution | |
| |
| |
| Organization and Roles | |
| |
| |
| Operational Sequencing | |
| |
| |
| Operational Priorities | |
| |
| |
| Operational Resources | |
| |
| |
| Synchronization and Decision Making | |
| |
| |
| |
| Your Malware Outbreak CIRP: Post Incident Planning and Maintenance | |
| |
| |
| Incident Termination | |
| |
| |
| Criteria for Terminating an Incident | |
| |
| |
| Plan Maintenance | |
| |
| |
| Overview | |
| |
| |
| Quarterly Updates | |
| |
| |
| Annual Testing of the Plan | |
| |
| |
| |
| Closing Thoughts | |
| |
| |
| New Age for InfoSec Professionals | |
| |
| |
| Paradigm #1: The New Consciousness of the Zero-Day Attack | |
| |
| |
| Paradigm #2: The Need for Transparent Due Diligence | |
| |
| |
| Paradigm #3: Consequence-Based Information Security | |
| |
| |
| Paradigm #4: The Constant Challenge of Change | |
| |
| |
| Paradigm #5: While We're All Focusing on the Silicon-Based Systems, the Bad Guys Are Targeting the Carbon-Based Ones | |
| |
| |
| |
| Appendixes | |
| |
| |
| |
| Useful Online Resources | |
| |
| |
| |
| Computer Incident Response Plan (CIRP) Management Checklist | |
| |
| |
| Glossary | |
| |
| |
| Index | |