“Great things in business are never done by one person. They’re done by a team of people.” – Steve Jobs
As part of our 5-part series about Incident Response Planning (IRP), this article dives deeper into the roles and responsibilities required to implement and respect an effective Incident Response Plan.
Find more detailed information about IRP in the articles below:
Incident Response Planning has proven to be most effective to help organizations respond to incidents when at least three distinct functions are in place:
To help your organization become more confident when facing a security incident, we’re explaining each of these three roles down below.
A Computer Security Incident Response Team (“CSIRT”) is defined as the group of individuals in charge of executing the technical aspect of an Incident Response Plan. CSIRT members are responsible for the detection, containment and eradication of cyber incidents as well as for the restauration of the affected IT systems.
To set up a CSIRT, organizations can opt for three different staffing models:
According to the U.S. National Institute of Standards and Technology (NIST), “the most prevalent arrangement is for the organization to outsource 24-hours-a-day, 7-days-a-week (24/7) monitoring of intrusion detection sensors, firewalls, and other security devices to an offsite managed security services provider (MSSP). The MSSP identifies and analyzes suspicious activity and reports each detected incident to the organization’s incident response team”.
This recommended scenario related to a partially outsourced staffing model as described above. Fully outsourcing options often require on-site contractor.
A contextual analysis may drive organizations to opt for either a partially outsourced or a fully integrated response capability. In these scenario, a CSIRT must be set up.
Regardless of what your organization decides to do, your choice should be motivated by a consideration of the following:
Disclaimer: When opting for a partially outsourced model, organizations must understand that outsourcing does not transfer their legal obligations to MSSPs. Organizations remain fully responsible, both legally and morally, to ensure that they meet legal requirements in terms of information security. This being said, MSSPs are liable for the quality of service that they provide according to the terms of the service level agreement (SLA).
CISRTs vary in terms of their service offering and organizational structure. The responsible department will usually examine a number of relevant factors before choosing a model.
The objective of the exercise is to identify the organization’s needs and the framework in which the prospective CSIRT will be inserted in order to develop a vision of its mission.
CSIRTs may exercise a wide range of functions that can be grouped under reactive, proactive and security quality management services:
Ideally, CSIRTs should aim to provide the usual baseline of services and eventually add other features that pertains to their mission. In other words, the primarily function of CSIRTs remains incident response.
Only once the team has acquired all necessary resources, training and experience to properly and effectively accomplish these tasks, management should consider adding additional responsibilities.
The extension of functions can be part of a development plan for the CSIRT. For instance, with proper funding and management support, the CSIRT can become a “key player in providing risk and business intelligence to the organization”.
NIST’s publication 800-64 proposes that CSIRTs should be composed of a manager, a technical lead and team members. The PCI DSS makes it mandatory to assign an individual or a team to various tasks, including establishing, documenting and distributing security incident response and escalading procedures when necessary.
Under this standard, the team must monitor and analyze security alerts and access to data.
Note that the PCI-DSS also requires an IRP that involves the documentation of roles and responsibilities.
The Computer Emergency Readiness Team [CERT] recommends the following roles amongst the CSIRT members:
In reality, CSIRTs are rarely staffed enough to cover all of these roles and personnel is expected to be versatile.
The table above describes the usual tasks and skills of team members.
Note that some organizations are required by law to have a privacy officer (an individual accountable for the respect of the privacy legislation in the constituent), especially in the health sector (see Ontario’s Personal Health Information Protection Act).
Harmonization between the privacy policies and practices with those of data security is critical. Organizations should consider integrating their privacy officer into information security planning and attributing him responsibilities during IRP.
In the process of attributing roles and responsibilities, the need for judicial expertise should not be overlooked. Legal experts endorse many critical roles throughout the phases of IRP, but particularly in the phase of drafting policies, plans and procedures.
CMU-SEI’s Handbook for CSIRTs rightly emphasizes the need for individuals who are experienced in cybersecurity as such to understand technical terminology and particular issues relating to CSIRT’s daily activities. They also recommend a year-long capability of engagement due to the amount of domain specific knowledge needed and the difficulty of finding such legal expertise on the market.
The role of the legal expert can be summarized as providing quality assurance about every topic – from the mission statement to the actual incident handling.
Regarding policies and plans, lawyers inform the decision-makers about legal requirements, preferred practices and any conflicts with other jurisdictional legislations in which the organization does business. Their contract drafting experience help to adjust the scope of these documents with proper definitions.
In the same line of thought, they conduct contract analysis with outsourced services and draft all the needed material pertaining to the CSIRT’s operations (e.g. non-disclosure agreements).
Overall, legal experts are concerned with being able of demonstrating due care at all times by warranting the adequacy of rules regarding the handling of confidential information, evidence and documentation. In doing so, they proactively defend the organization against liabilities.
See the table below for a detailed description of the tasks of a legal expert.
Each organization should have a predetermined point of contact with the media, usually a public relations (PR) expert who is trained on developing precise and impactful press releases.
In case of a data breach of public interest, this person will be updating the media about the work of the CSIRT and any remedial action taken. In this regard, the PR expert should have received training on information disclosure and is well aware of the organization’s policies.
In the event of a data breach, communication is key. The PR expert should have communication templates ready to address different scenarios, such as data breach notification. His role is to balance the need to protect the company’s business interests (e.g. its reputation) with the need to inform the public. Pre-written templates provide sufficient time to reflect on the appropriate wording. This should be done before a crisis occurs, as there will be little time to reflect during ‘war time’.
In the same line of thought, pre-written statements should be analyzed by legal experts who will consider all ramifications such as balancing mandatory notification, non-disclosure agreements, the protection of personal information and the company’s best interest.
Here’s what the PR expert is supposed to do as well as the skills he or she should have for this crucial role:
We can all agree that security incidents against organizations are here to stay. And sooner than later, we’ll all need to live up to the fact that careful incident planning and preparation is one of the best strategies to respond to security incidents.
For Incident Response Plans to be effective, organizations need to be proactive and create at least three crucial roles to help navigate the stormy waters of a security incidents.
Now that we’ve learned about the roles and responsibilities for effective Incident Response Planning, how does IRP look like in different jurisdictions across the world?
Stay tuned for part 4 of our 5-part blog series about Incident Response Planning in next week’s article.