“Great things in business are never done by one person. They’re done by a team of people.” – Steve Jobs Show
As part of our 5-part series about Incident Response Planning (IRP), this article dives deeper into the roles and responsibilities required to implement and respect an effective Incident Response Plan. Find more detailed information about IRP in the articles below: Incident Response Planning has proven to be most effective to help organizations respond to incidents when at least three distinct functions are in place:
To help your organization become more confident when facing a security incident, we’re explaining each of these three roles down below.
A Computer Security Incident Response Team (“CSIRT”) is defined as the group of individuals in charge of executing the technical aspect of an Incident Response Plan. CSIRT members are responsible for the detection, containment and eradication of cyber incidents as well as for the restauration of the affected IT systems. To set up a CSIRT, organizations can opt for three different staffing models:
According to the U.S. National Institute of Standards and Technology (NIST), “the most prevalent arrangement is for the organization to outsource 24-hours-a-day, 7-days-a-week (24/7) monitoring of intrusion detection sensors, firewalls, and other security devices to an offsite managed security services provider (MSSP). The MSSP identifies and analyzes suspicious activity and reports each detected incident to the organization’s incident response team”. This recommended scenario related to a partially outsourced staffing model as described above. Fully outsourcing options often require on-site contractor. A contextual analysis may drive organizations to opt for either a partially outsourced or a fully integrated response capability. In these scenario, a CSIRT must be set up. What should I consider when setting up a CSIRT?Regardless of what your organization decides to do, your choice should be motivated by a consideration of the following:
Disclaimer: When opting for a partially outsourced model, organizations must understand that outsourcing does not transfer their legal obligations to MSSPs. Organizations remain fully responsible, both legally and morally, to ensure that they meet legal requirements in terms of information security. This being said, MSSPs are liable for the quality of service that they provide according to the terms of the service level agreement (SLA). What factors impact how I build my CSIRT?CISRTs vary in terms of their service offering and organizational structure. The responsible department will usually examine a number of relevant factors before choosing a model. The objective of the exercise is to identify the organization’s needs and the framework in which the prospective CSIRT will be inserted in order to develop a vision of its mission.
What are the functions of the CSIRT?CSIRTs may exercise a wide range of functions that can be grouped under reactive, proactive and security quality management services: Ideally, CSIRTs should aim to provide the usual baseline of services and eventually add other features that pertains to their mission. In other words, the primarily function of CSIRTs remains incident response. Only once the team has acquired all necessary resources, training and experience to properly and effectively accomplish these tasks, management should consider adding additional responsibilities. The extension of functions can be part of a development plan for the CSIRT. For instance, with proper funding and management support, the CSIRT can become a “key player in providing risk and business intelligence to the organization”. Which roles should be assigned within the CSIRT?NIST’s publication 800-64 proposes that CSIRTs should be composed of a manager, a technical lead and team members. The PCI DSS makes it mandatory to assign an individual or a team to various tasks, including establishing, documenting and distributing security incident response and escalading procedures when necessary. Under this standard, the team must monitor and analyze security alerts and access to data. CSIRT: Tasks and Skills NeededNote that the PCI-DSS also requires an IRP that involves the documentation of roles and responsibilities. The Computer Emergency Readiness Team [CERT] recommends the following roles amongst the CSIRT members:
In reality, CSIRTs are rarely staffed enough to cover all of these roles and personnel is expected to be versatile. The table above describes the usual tasks and skills of team members. Note that some organizations are required by law to have a privacy officer (an individual accountable for the respect of the privacy legislation in the constituent), especially in the health sector (see Ontario’s Personal Health Information Protection Act). Harmonization between the privacy policies and practices with those of data security is critical. Organizations should consider integrating their privacy officer into information security planning and attributing him responsibilities during IRP. Anything else to consider when creating a CSIRT?
In the process of attributing roles and responsibilities, the need for judicial expertise should not be overlooked. Legal experts endorse many critical roles throughout the phases of IRP, but particularly in the phase of drafting policies, plans and procedures. CMU-SEI’s Handbook for CSIRTs rightly emphasizes the need for individuals who are experienced in cybersecurity as such to understand technical terminology and particular issues relating to CSIRT’s daily activities. They also recommend a year-long capability of engagement due to the amount of domain specific knowledge needed and the difficulty of finding such legal expertise on the market. The role of the legal expert can be summarized as providing quality assurance about every topic – from the mission statement to the actual incident handling. Regarding policies and plans, lawyers inform the decision-makers about legal requirements, preferred practices and any conflicts with other jurisdictional legislations in which the organization does business. Their contract drafting experience help to adjust the scope of these documents with proper definitions. In the same line of thought, they conduct contract analysis with outsourced services and draft all the needed material pertaining to the CSIRT’s operations (e.g. non-disclosure agreements). Overall, legal experts are concerned with being able of demonstrating due care at all times by warranting the adequacy of rules regarding the handling of confidential information, evidence and documentation. In doing so, they proactively defend the organization against liabilities. Legal Expert: Tasks and Skills NeededSee the table below for a detailed description of the tasks of a legal expert.
Each organization should have a predetermined point of contact with the media, usually a public relations (PR) expert who is trained on developing precise and impactful press releases. In case of a data breach of public interest, this person will be updating the media about the work of the CSIRT and any remedial action taken. In this regard, the PR expert should have received training on information disclosure and is well aware of the organization’s policies. In the event of a data breach, communication is key. The PR expert should have communication templates ready to address different scenarios, such as data breach notification. His role is to balance the need to protect the company’s business interests (e.g. its reputation) with the need to inform the public. Pre-written templates provide sufficient time to reflect on the appropriate wording. This should be done before a crisis occurs, as there will be little time to reflect during ‘war time’. In the same line of thought, pre-written statements should be analyzed by legal experts who will consider all ramifications such as balancing mandatory notification, non-disclosure agreements, the protection of personal information and the company’s best interest. PR Expert: Tasks and Skills NeededHere’s what the PR expert is supposed to do as well as the skills he or she should have for this crucial role: In a NutshellWe can all agree that security incidents against organizations are here to stay. And sooner than later, we’ll all need to live up to the fact that careful incident planning and preparation is one of the best strategies to respond to security incidents. For Incident Response Plans to be effective, organizations need to be proactive and create at least three crucial roles to help navigate the stormy waters of a security incidents.
Now that we’ve learned about the roles and responsibilities for effective Incident Response Planning, how does IRP look like in different jurisdictions across the world? Stay tuned for part 4 of our 5-part blog series about Incident Response Planning in next week’s article. What are the responsibilities of CSIRT?The role of the CSIRT is to serve as the first responder to computer security incidents within the Department and to perform vital functions in identifying, mitigating, reviewing, documenting, and reporting findings to management.
Which role of the CSIRT is assigned the responsibility of coordinating responses for specific incidents?Incident Leader of CSIRT.
The incident leader is responsible with coordinating individual responses to the incidents.
Which of the following is a primary service of the US CSIRT?Which of the following is a primary service of the U.S. Computer Security Incident Response Team (CSIRT)? CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling an individual's property or company's asset.
Which department can assist the CSIRT in obtaining the necessary access in a timely manner?In this specialized hybrid model, the security operations center (SOC) is responsible for receiving all alerts, alarms and reports indicating potential incidents. If the SOC requires help with additional analysis, the CSIRT is activated.
|