| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
| |
The Threat Landscape | |
| |
| |
| |
Introduction to Planning and Crisis | |
| |
| |
The Absence of Planning | |
| |
| |
Key Concepts | |
| |
| |
The OODA Loop | |
| |
| |
Fog of War | |
| |
| |
Friction | |
| |
| |
Center of Gravity | |
| |
| |
Unity of Command | |
| |
| |
Maintaining the Initiative | |
| |
| |
Tactical, Operational, and Strategic Perspectives | |
| |
| |
Requirements-Driven Execution | |
| |
| |
End State | |
| |
| |
Military Decision-Making Process | |
| |
| |
A Plan Is Preparation Manifested | |
| |
| |
Anticipation: Objectives and Requirements | |
| |
| |
Collaboration: Socialization and Normalization | |
| |
| |
Research: The Availability of Relevant Information | |
| |
| |
The Ad Hoc Organization for Time of Crisis | |
| |
| |
The Value of Documentation | |
| |
| |
| |
Cyber Due Diligence in an Era of Information Risk | |
| |
| |
Regulation | |
| |
| |
Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999) | |
| |
| |
The Health Insurance Portability and Accountability Act of 1996 | |
| |
| |
Sarbanes-Oxley Act of 2002 | |
| |
| |
State Breach Requirements | |
| |
| |
Industry Standards | |
| |
| |
Federal/State Enforcement | |
| |
| |
Contractual Enforcement | |
| |
| |
What Standards? | |
| |
| |
ISO/IEC 27000 Series | |
| |
| |
FFIEC | |
| |
| |
PCI DSS | |
| |
| |
Service Organization Controls | |
| |
| |
Shared Assessments | |
| |
| |
How Do I Know that I'm Doing the Right Thing? | |
| |
| |
Independent Review | |
| |
| |
Internal Audit | |
| |
| |
Tabletop Exercises | |
| |
| |
How Do I Keep It Up? | |
| |
| |
COBIT | |
| |
| |
ISO/IEC 27005 (Information Security Risk Management) | |
| |
| |
ITIL | |
| |
| |
Bringing It Together | |
| |
| |
Top-Down Approval | |
| |
| |
Values | |
| |
| |
Policies | |
| |
| |
Ownership | |
| |
| |
Procedures and Controls | |
| |
| |
Measurement and Monitoring | |
| |
| |
Education | |
| |
| |
Calendar for Testing Processes and Controls | |
| |
| |
Independent Review | |
| |
| |
Internal Oversight | |
| |
| |
| |
Planning for Crisis | |
| |
| |
| |
Getting More Out of Your Plans | |
| |
| |
Proactively Using Plans During Period of Heightened Risk | |
| |
| |
Understanding How Your ISOC Works | |
| |
| |
Building Relationships Outside of IT | |
| |
| |
Leveraging Your CIRP to Develop Relationships with Law Enforcement | |
| |
| |
Using Plans to Augment Your Current ERM Efforts | |
| |
| |
| |
Writing Your Computer Incident Response Plan | |
| |
| |
What Problem Are You Solving? | |
| |
| |
Don't Bother if You Don't Have an Executive Sponsor | |
| |
| |
Using an Advisory Committee: My Plan vs. Our Plan | |
| |
| |
Understanding Your Audiences | |
| |
| |
Leveraging the Table of Contents | |
| |
| |
Plan Introduction | |
| |
| |
Incident Preparation | |
| |
| |
Incident Detection, Analysis, and Declaration | |
| |
| |
Incident Response | |
| |
| |
Plan Maintenance/Post Incident | |
| |
| |
Development of an Ad Hoc Organization to Respond to Crisis | |
| |
| |
| |
Plan Development: Data Breach | |
| |
| |
| |
Your Data Breach CIRP: Incident Preparation | |
| |
| |
Foreword | |
| |
| |
Plan Introduction | |
| |
| |
Plan Objective | |
| |
| |
Plan Scope and Assumptions | |
| |
| |
Plan Execution and Command Topologies | |
| |
| |
Plan Structure | |
| |
| |
Updating and Synchronization | |
| |
| |
Incident Preparation | |
| |
| |
Statutory/Compliance Framework | |
| |
| |
Sensitive Data | |
| |
| |
PCI Data Map (End DERESTRICTED** | |
| |
| |
ISOC Threat Portfolio (PCI) (Tab B) "RESTRICTED** | |
| |
| |
PCI Log Data (Tab C) | |
| |
| |
Third-Party (Payment) Connections (Tab D) | |
| |
| |
Third-Party Services | |
| |
| |
PCI Forensic Investigator (PFI) | |
| |
| |
Identity Protection Services | |
| |
| |
Compromise Notification Fulfillment | |
| |
| |
Sources of Precursors and Indicators | |
| |
| |
Incident Thresholds | |
| |
| |
Data Threshold | |
| |
| |
Compromise Threshold | |
| |
| |
Incident Analysis | |
| |
| |
Technical Impact | |
| |
| |
Business Impact | |
| |
| |
Incident Categories | |
| |
| |
Priority 1 | |
| |
| |
Priority 2 | |
| |
| |
Non-Actionable/Informational | |
| |
| |
Incident Declaration | |
| |
| |
Incident Notification and Mobilization | |
| |
| |
Incident Documentation | |
| |
| |
| |
Your Data Breach CIRP: Plan Execution | |
| |
| |
Plan Execution | |
| |
| |
Organization and Roles | |
| |
| |
Process and Rhythm | |
| |
| |
Synchronization and Decision-Making | |
| |
| |
Status Reports | |
| |
| |
Mandatory Reporting/Notification(s) | |
| |
| |
Payment Card Industry Data Security Standard (PCI DSS) | |
| |
| |
Release of "Public-Facing Documents" | |
| |
| |
Draft/Approve/Release Process | |
| |
| |
Public-Facing Documents Participants | |
| |
| |
Evidence Discovery and Retention | |
| |
| |
Criminal Prosecution | |
| |
| |
Civil Litigation | |
| |
| |
Managing Evidence | |
| |
| |
Liaison with Local Law Enforcement | |
| |
| |
XYZ Loss Prevention (LE Liaison) | |
| |
| |
Law Enforcement Points of Contact (POC) (Tab I) | |
| |
| |
Incident Containment, Eradication, and Recovery | |
| |
| |
The XYZ (Data Compromise) CIRP SWAT Team | |
| |
| |
Containment | |
| |
| |
Eradication and Recovery | |
| |
| |
Remediation | |
| |
| |
Compensating Controls | |
| |
| |
Disaster Recovery/Business Continuity | |
| |
| |
CIRP Roles and Responsibilities | |
| |
| |
Human Resources | |
| |
| |
| |
Your Data Breach CIRP: Post Incident Planning and Maintenance | |
| |
| |
Post-Incident Activity | |
| |
| |
Incident Termination | |
| |
| |
Plan Maintenance | |
| |
| |
Overview | |
| |
| |
Regular Updates | |
| |
| |
Verification/Updates of Perishable Data | |
| |
| |
Annual Testing of the Plan | |
| |
| |
| |
Plan Development: Malware | |
| |
| |
| |
Your Malware Outbreak CIRP: Incident Preparation | |
| |
| |
Foreword | |
| |
| |
Plan Introduction | |
| |
| |
Plan Objective | |
| |
| |
Plan Execution and Command Topologies | |
| |
| |
Plan Ownership | |
| |
| |
Supporting Documentation | |
| |
| |
Incident Preparation | |
| |
| |
Isolation Points within the XYZ Enterprise | |
| |
| |
Business Impact Overlay of Isolation Points | |
| |
| |
ISOC Threat Portfolio | |
| |
| |
Third-Party Support Services | |
| |
| |
PCI Forensics Investigator (PFI) | |
| |
| |
BXD Long Sight Threat Management System | |
| |
| |
Incident Detection, Analysis, and Declaration | |
| |
| |
Sources of Precursors and Indicators | |
| |
| |
ISOC Monitoring Feeds | |
| |
| |
Field Services Responding to Malware Calls | |
| |
| |
NOC, Service Desk, and Other Internal Sources of Detection | |
| |
| |
Incident Threshold | |
| |
| |
Incident Analysis | |
| |
| |
Technical Impact | |
| |
| |
Business Impact | |
| |
| |
Incident Declaration | |
| |
| |
Incident Notification and Mobilization | |
| |
| |
Incident Documentation | |
| |
| |
| |
Your Malware Outbreak CIRP: Plan Execution | |
| |
| |
Plan Execution | |
| |
| |
Organization and Roles | |
| |
| |
Operational Sequencing | |
| |
| |
Operational Priorities | |
| |
| |
Operational Resources | |
| |
| |
Synchronization and Decision Making | |
| |
| |
| |
Your Malware Outbreak CIRP: Post Incident Planning and Maintenance | |
| |
| |
Incident Termination | |
| |
| |
Criteria for Terminating an Incident | |
| |
| |
Plan Maintenance | |
| |
| |
Overview | |
| |
| |
Quarterly Updates | |
| |
| |
Annual Testing of the Plan | |
| |
| |
| |
Closing Thoughts | |
| |
| |
New Age for InfoSec Professionals | |
| |
| |
Paradigm #1: The New Consciousness of the Zero-Day Attack | |
| |
| |
Paradigm #2: The Need for Transparent Due Diligence | |
| |
| |
Paradigm #3: Consequence-Based Information Security | |
| |
| |
Paradigm #4: The Constant Challenge of Change | |
| |
| |
Paradigm #5: While We're All Focusing on the Silicon-Based Systems, the Bad Guys Are Targeting the Carbon-Based Ones | |
| |
| |
| |
Appendixes | |
| |
| |
| |
Useful Online Resources | |
| |
| |
| |
Computer Incident Response Plan (CIRP) Management Checklist | |
| |
| |
Glossary | |
| |
| |
Index | |