O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

The Computer Incident Response Planning Handbook: Executable Plans for Protecting Information at Risk

Book Description

Uncertainty and risk, meet planning and action.

Reinforce your organization’s security posture using the expert information contained in this tactical guide. The Computer Incident Response Planning Handbook: Executable Plans for Protecting Information at Risk shows you how to build and manage successful response plans for the cyber incidents that have become inevitable for organizations of any size. Find out why these plans work. Learn the step-by-step process for developing and managing plans built to address the wide range of issues organizations face in times of crisis.

  • Contains the essentials for developing both data breach and malware outbreak response plans—and best practices for maintaining those plans
  • Features ready-to-implement CIRPs—derived from living incident response plans that have survived the rigors of repeated execution and numerous audits
  • Clearly explains how to minimize the risk of post-event litigation, brand impact, fines and penalties—and how to protect shareholder value
  • Supports corporate compliance with industry standards and requirements, including PCI, HIPAA, SOX, and CA SB-24

Table of Contents

  1. Cover 
  2. About the Author
  3. Copyright
  4. Contents 
  5. Acknowledgments
  6. Introduction
  7. Part I The Threat Landscape
    1. Chapter 1 Introduction to Planning and Crisis
      1. The Absence of Planning
      2. Key Concepts
        1. The OODA Loop
        2. Fog of War
        3. Friction
        4. Center of Gravity
        5. Unity of Command
        6. Maintaining the Initiative
        7. Tactical, Operational, and Strategic Perspectives
        8. Requirements-Driven Execution
        9. End State
        10. Military Decision-Making Process
      3. A Plan Is Preparation Manifested
        1. Anticipation: Objectives and Requirements
        2. Collaboration: Socialization and Normalization
        3. Research: The Availability of Relevant Information
        4. The Ad Hoc Organization for Time of Crisis
        5. The Value of Documentation
    2. Chapter 2 Cyber Due Diligence in an Era of Information Risk
      1. Regulation
        1. Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999)
        2. The Health Insurance Portability and Accountability Act of 1996
        3. Sarbanes-Oxley Act of 2002
        4. State Breach Requirements
        5. Industry Standards
        6. Federal/State Enforcement
        7. Contractual Enforcement
      2. What Standards?
        1. ISO/IEC 27000 Series
        2. FFIEC
        3. PCI DSS
        4. Service Organization Controls
        5. Shared Assessments
      3. How Do I Know that I’m Doing the Right Thing?
        1. Independent Review
        2. Internal Audit
        3. Tabletop Exercises
      4. How Do I Keep It Up?
        1. COBIT
        2. ISO/IEC 27005 (Information Security Risk Management)
        3. ITIL
      5. Bringing It Together
        1. Top-Down Approval
        2. Values
        3. Policies
        4. Ownership
        5. Procedures and Controls
        6. Measurement and Monitoring
        7. Education
        8. Calendar for Testing Processes and Controls
        9. Independent Review
        10. Internal Oversight
  8. Part II Planning for Crisis
    1. Chapter 3 Getting More Out of Your Plans
      1. Proactively Using Plans During Period of Heightened Risk
      2. Understanding How Your ISOC Works
      3. Building Relationships Outside of IT
      4. Leveraging Your CIRP to Develop Relationships with Law Enforcement
      5. Using Plans to Augment Your Current ERM Efforts
    2. Chapter 4 Writing Your Computer Incident Response Plan
      1. What Problem Are You Solving?
      2. Don’t Bother if You Don’t Have an Executive Sponsor
      3. Using an Advisory Committee: My Plan vs. Our Plan
      4. Understanding Your Audiences
      5. Leveraging the Table of Contents
      6. Plan Introduction
      7. Incident Preparation
      8. Incident Detection, Analysis, and Declaration
      9. Incident Response
      10. Plan Maintenance/Post Incident
      11. Development of an Ad Hoc Organization to Respond to Crisis
  9. Part III Plan Development: Data Breach
    1. Chapter 5 Your Data Breach CIRP: Incident Preparation
      1. Foreword
      2. Plan Introduction
        1. Plan Objective
        2. Plan Scope and Assumptions
      3. Plan Execution and Command Topologies
      4. Plan Structure
        1. Updating and Synchronization
      5. Incident Preparation
        1. Statutory/Compliance Framework
      6. Sensitive Data
        1. PCI Data Map (Encl 1) **RESTRICTED**
        2. ISOC Threat Portfolio (PCI) (Tab B) **RESTRICTED**
        3. PCI Log Data (Tab C)
        4. Third-Party (Payment) Connections (Tab D)
      7. Third-Party Services
        1. PCI Forensic Investigator (PFI)
        2. Identity Protection Services
        3. Compromise Notification Fulfillment
        4. Sources of Precursors and Indicators
      8. Incident Thresholds
        1. Data Threshold
        2. Compromise Threshold
        3. Incident Analysis
        4. Technical Impact
        5. Business Impact
      9. Incident Categories
        1. Priority 1
        2. Priority 2
        3. Non-Actionable/Informational
      10. Incident Declaration
        1. Incident Notification and Mobilization
        2. Incident Documentation
    2. Chapter 6 Your Data Breach CIRP: Plan Execution
      1. Plan Execution
        1. Organization and Roles
        2. Process and Rhythm
      2. Synchronization and Decision-Making
        1. Status Reports
      3. Mandatory Reporting/Notification(s)
        1. Payment Card Industry Data Security Standard (PCI DSS)
      4. Release of “Public-Facing Documents”
        1. Draft/Approve/Release Process
        2. Public-Facing Documents Participants
      5. Evidence Discovery and Retention
        1. Criminal Prosecution
        2. Civil Litigation
        3. Managing Evidence
      6. Liaison with Local Law Enforcement
        1. XYZ Loss Prevention (LE Liaison)
        2. Law Enforcement Points of Contact (POC) (Tab I)
      7. Incident Containment, Eradication, and Recovery
        1. The XYZ (Data Compromise) CIRP SWAT Team
        2. Containment
      8. Eradication and Recovery
        1. Remediation
        2. Compensating Controls
      9. Disaster Recovery/Business Continuity
      10. CIRP Roles and Responsibilities
        1. Human Resources
    3. Chapter 7 Your Data Breach CIRP: Post Incident Planning and Maintenance
      1. Post-Incident Activity
        1. Incident Termination
      2. Plan Maintenance
        1. Overview
      3. Regular Updates
        1. Verification/Updates of Perishable Data
        2. Annual Testing of the Plan
  10. Part IV Plan Development: Malware
    1. Chapter 8 Your Malware Outbreak CIRP: Incident Preparation
      1. Foreword
      2. Plan Introduction
        1. Plan Objective
      3. Plan Execution and Command Topologies
      4. Plan Ownership
        1. Supporting Documentation
      5. Incident Preparation
        1. Isolation Points within the XYZ Enterprise
        2. Business Impact Overlay of Isolation Points
        3. ISOC Threat Portfolio
      6. Third-Party Support Services
        1. PCI Forensics Investigator (PFI)
        2. BXD LongSight Threat Management System
      7. Incident Detection, Analysis, and Declaration
        1. Sources of Precursors and Indicators
        2. ISOC Monitoring Feeds
        3. Field Services Responding to Malware Calls
        4. NOC, Service Desk, and Other Internal Sources of Detection
      8. Incident Threshold
      9. Incident Analysis
        1. Technical Impact
        2. Business Impact
      10. Incident Declaration
        1. Incident Notification and Mobilization
      11. Incident Documentation
    2. Chapter 9 Your Malware Outbreak CIRP: Plan Execution
      1. Plan Execution
        1. Organization and Roles
      2. Operational Sequencing
      3. Operational Priorities
      4. Operational Resources
        1. Synchronization and Decision Making
    3. Chapter 10 Your Malware Outbreak CIRP: Post Incident Planning and Maintenance
      1. Incident Termination
        1. Criteria for Terminating an Incident
      2. Plan Maintenance
        1. Overview
        2. Quarterly Updates
        3. Annual Testing of the Plan
    4. Chapter 11 Closing Thoughts
      1. New Age for InfoSec Professionals
      2. Paradigm #1: The New Consciousness of the Zero-Day Attack
      3. Paradigm #2: The Need for Transparent Due Diligence
      4. Paradigm #3: Consequence-Based Information Security
      5. Paradigm #4: The Constant Challenge of Change
      6. Paradigm #5: While We’re All Focusing on the Silicon-Based Systems, the Bad Guys Are Targeting the Carbon-Based Ones
  11. Part V Appendixes
    1. A Useful Online Resources
    2. B Computer Incident Response Plan (CIRP) Management Checklist
  12. Glossary
  13. Index