Incidents: Response: Who controls and executes responses to information-related attacks?
Options:
Incident response processes are controlled by {a designated team, different people for different situations as defined by policies, the individual first encountering it} through {a defined workflow process, a process defined by policy but not codified in work flow systems, an ad-hoc process, however the responders deem appropriate} engaging {internal workers only, outside technical assistance, outside private investigative assistance, law enforcement, outside counsel, outside public relations}.Basis:
The process should be controlled by a designated team:Typically incident response teams start with an internal security operations center team and, if the incident exceeds identified thresholds, the process is escalated to an appropriate management level. There are usually no more than three levels of escalation involved; (1) reporting to the help desk or similar function, or in the case of a personnel initiated incident, through the HR department or appropriate management chain, (2) triage to determine that it is a security-related incident and routing to physical security, information security, legal, or HR department to lead the effort, as appropriate to the situation, and (3) escalation to top management if the magnitude of the situation warrants further attention. Within each of these functions, additional process and team efforts may be applied, including calling in other individuals as needed from other teams, depending on the nature of the incident.
The process should be controlled by policy-defined
individual(s):
In some cases, policy defined an individual
responsible for incident handling. This is typically the CISO or
other Information Protection Lead (IP Lead) for
anything related to information protection. The Lead then manages the
incident handling process appropriate to the need. Typically, the IP Lead
will create teams such as those identified in the above process, be
depending on the size and nature of the organization, other structures
may be used.
The process should be controlled by the individual
first encountering the incident.
When nothing else is
defined, whoever identifies something as an "incident" will likely
proceed in their own way to deal with it or not as they see fit. While
this is not normally advised, it is de-facto what happens when nothing
else is put in place to systematically manage the process.
The process should be managed through a defined
workflow process.
A defined workflow process is generally in
place for any enterprise of managed or higher maturity. The workflow
process may involve automation, such as help desk ticketing systems or
other similar mechanisms, and may also involve manual processes like
checklists or other standard approaches that are known to
workers. Generally, these processes are documented if the enterprise
operates at the managed level or above.
The process should be managed through a process
defined by policy but not codified in work flow
In cases
where the enterprise has defined processes, but does not have a
workflow mechanism or has yet to codify incident response in terms of
such a system, the policy-defined process should be used. This is most
often the case in an enterprise operating at the defined maturity
level, but that has not yet, or does not with to operate at the
managed maturity level or above.
The process should be managed through an ad-hoc
process:
In enterprises operating below the "defined" level
of maturity, or for situations in which no defined process exists
because of novelty or incompleteness of the defined processes, an
ad-hoc process is necessary, but it should follow other aspects of
enterprise process. This should be done at the repeatable maturity
level and definitions and process updated to adapt for future
incidents of similar types.
The process should be managed however the
responders deem appropriate
In cases where there is little or
no definition of process and the enterprise is operating at the
initial or repeatable maturity level only, whoever is responding to an
incident will do whatever they do.
The enterprise should engage internal workers.
Enterprise employees or other internal workers are generally used
in incident response when a sufficient internal capability is in place
because there are sufficient incidents to warrant such a team; or in
cases when the issues are so sensitive that external workers would be
unacceptable for one reason or another. Internal workers tend to know
a lot more about how internal systems operate, especially when custom
infrastructure, applications, or configurations are in use. They also
tend to be intimately involved with day-to-day issues and better
understand the enterprise and how it works.
The enterprise should engage outside technical
assistance
Outside technical assistance is often required in
incident handling when internal teams don't handle a lot of incidents
and therefore don't have the knowledge and experience in handling them
well, or when specialized knowledge or additional personnel are
required, or less often, in cases when there are legal issues or the
potential that insiders are involved, mandating external expertise be
used. Many companies outsource standard network intrusion processes to
other companies that specialize in this area, but use internal experts
for platform intrusions or special cases.
The enterprise should engage outside private
investigative assistance.
Whenever hunting down people or
seeking the source of an incident, rather than just dealing with
repair of affected mechanisms and restoration of utility, an
investigative process is required. Unless adequate internal
investigation expertise is in hand and independent of the incident,
outside private investigations are required. Generally, when an
insider is suspected and the incident is serious, an outside expert is
called in, if only to augment internal teams.
The enterprise should engage law enforcement.
When a crime has been committed, especially when there is a
threat to personal safety: involving law enforcement is vital.
Failure to call law enforcement for certain types of matters may
result in legal liabilities. For example: if a threat to health and
safety is made via computers and it appears to be serious: private
detectives may be the first call: but if such cases escalate, law
enforcement is critical. If there is internal criminal activity: not
calling law enforcement may turn decision makers into accessories
after the fact and expose corporate officers to civil and criminal
liability. For certain classes of crime: reporting to regulatory
agencies may also be mandatory. As a rule. it is important to have
thought through the possibilities in advance and to have a policy
about when to call law enforcement. If this sort of decision has to be
made in real time: errors can be very costly.
The enterprise should engage outside counsel.
Whenever legal issues arise and internal legal expertise is
either not staffed to the level required to manage such matters or
doesn't have the specific legal expertise required to handle the case,
outside counsel should be brought in. Outside counsel is also used in
cases involving top executives because of the potential conflicts of
interest and potential for attempts to influence inside counsel or
have the perception of such attempts.
The enterprise should engage outside public
relations.
Whenever public relations issues arise and
internal expertise is either not staffed to the level required to
manage such matters or doesn't have the specific public relations
expertise required to handle the case, outside public relations
experts should be brought in. Outside public relations is also used in
cases involving public disclosures or top executives because of the
potential high consequences associated with brand.