ISACA CISM – Domain 04 – Information Security Incident Management Part 5

27. Personnel

All right, let’s take a look at the personnel for our incident management team. So I’ll call that the IMT. As you can see it down here. So here’s the thing. This shouldn’t be a temporary position. If we’re going to have a management team, those members, as I said, should be permanent and dedicated to the idea of incident management. If I decide to rotate people in every six months and rotate people out, which I’m not saying don’t train other people about incident management, but as part of the team, we’re going to start losing that corporate history. We’re going to start losing the people who made some of the original decisions and have, I guess you could say, less trained people in there.

And not only should that team have these people who are permanently dedicated, they should have a dedicated chain of command. Like I said, we have to have somebody that we can go to to make some crucial decisions. I used an example before that if you were on the trail of somebody hacking into one of your databases and you start making some decisions, or ask somebody to make a decision, which is should I block that hacker? Which would let them know that they were caught? Or should I try to contain that hacker, knowing they could do some more damage, maybe not severe damage, but use that extra time that we gave them for the opportunity of trying to track them down, perhaps catch them and even prosecute them.

So again, the team itself, as far as how you organize it, could be centralized. And these are pretty straightforward terms. They really are. Central IRT is where you have one team that handles all the incidences that’s usually probably in a small organization, a distributed IRT would have several teams that are responsible either for maybe a logical or maybe even physical segment of your infrastructure. Usually we would have these teams in a company that is geographically dispersed. Right? Because if my team is headquartered in Seattle and my incident is over in Miami, we’re going to have a tough time, aren’t we, trying to get them to respond, especially if it’s a physical concern.

A coordinating IRT would be a central team that can give guidance. So I could have a central team here, but they’re giving guidance to IRT teams that are located at these other spots. And then of course, we could also have an outsourced IRT, which could be comprised entirely of employees of the organization where only some of the information or some of the response is outsourced. It could actually be fully or partially outsourced, but that’s really a fancy way of saying it’s a third party that we would be in contact with to act as a part of our incident response.

28. Roles and Responsibilities (eNotes)

All right, so when we look at roles and responsibilities, often we might start off talking about having these at the top of the food chart. These members that we use for the security staff or like the high end, what do we call them, the upper echelon of our organization. And so their goal is usually, you know, if we were to talk about it, is to take responsibility for incident management. Generally, they probably approve the charter that is getting this plan together. They may even be the final decision maker. And that’s important. We need to know these roles and who’s going to be in those roles. Then we could move on down from there to the Information Security Manager.

This might be a person who’s the IMT leader and maybe the one who reports or finishes or takes the results and is responsible for communicating to the SSG. From there, another role of responsibility could be the Incident Response Manager. They’re usually what I would call the IRT leader. So remember, we could have these teams everywhere. We talked about them being centralized, coordinated, distributed. So that’s where we start seeing the people who the rest of your employees would interact with and deal with. But there’s still kind of a supervisory position and of course we would have all of them being making the plan, making the ideas of the response. And what do we say that we had to do from there, from the Incident Response Manager? What we said is that we had to have a variety of different incident handlers.

Now I’m trying to make that look as though the arrows are going out to several people because as I said, we may have people with specialties whose job is to take care of a specific incident and have all of the steps. They’re the ones that would perform the tasks to get that information done. And I’m going to put all of these together as kind of who’s in the team memberships as we go through there. Now the incident handlers may also have a variety of people that work as the investigators. And there of course that means that they would have to look at the investigative tasks to a specific incident. They’re the ones that probably help find or get to the root cause issues. And then finally we may have for all of them to use or again, a number of them, a security specialist.

So even though my organizational chart might not be as nice and neat as many of you would like, it’s sometimes harder to try to chart all of these relationships out because none of these are set in stone, that it has to be in this order. But the idea is to give you kind of a representation of what it would look like. So anyway, the It Security specialist again would be the one who does some of the more complex tasks. If I have a specific problem with a Windows server, I’m not going to go to my router specialist and ask them to start pulling out event logs or looking at certain things with file permissions or the way in which Active Directory is running, right. I’m going to have somebody who’s specific and has knowledge about that.

Now at this point, all of these people that I kind of put in here in this range would definitely be a part of my incident response team right from the management envelope. So they’d all fall into that setup. Now at some point, I said they all have to respond and let me put another bracket over here. So these are my first responders, the ones that are going to try to contain and limit the damage that’s being done and try to get things solved. But like I said, at some point we’re going to have to have a variety of different decision makers potentially. Or I’m going to have maybe a business manager who can help us in making the types of decisions depending on the department or the business that they’re running.

That means that they can make decisions on matters that are related to assets systems, and they’re going to be looking for the IRT recommends because they’re going to make their decisions based on information that is given to them. Remember, I said at the end of this, our goal is to be able to take the reports, make presentations, and get that information out there. And somewhere I need to have sometimes a spell check. But anyway, they’re going to get all of the results, right? I said that at some point they’re going to have results for us and that’s something that we can use as a business manager to be able to make decisions about what we’re going to do for perhaps the future. Now, the business manager may need some more information.

So they may have and be looking for an It specialist, somebody who is a specialist in different areas, providing them information to help them in making those decisions. Because of different regulations in the jurisdiction that your company works in, you may need to have legal advice to make sure that you’re following the right types of laws and regulations in your country. It may affect employee personnel. So you may have to have also information from HR. Depending on what happened, you could have had potentially some bad things happen that might cause a black eye for your company. So you might have some people in the public relations that are out there in your company trying to give you input to try to help eliminate some of those intangible types of bad public images.

Like if you’re the company who lost the 100 million credit cards of your customers, you may want to bring in, inside or outside people who might be into the Risk Management specialties to help you with going through and maybe reanalyzing your plans. And again, remember, part of risk could also be physical issues. So you may want somebody who is in charge of physical security if it’s maybe something like an issue of theft or if it’s the conditions around it might be a facilities manager. And again, the goal here is, can you tell? What we’re doing is we’re trying to get all of these different members who each have different roles and responsibilities to work together in providing information.

Especially, as I said, when it comes down to having to have somebody who’s got to make a decision. And they’re getting their information, as you can see, from a lot of different locations. Not only from the Incident Response team and their list of recommendations or their final findings, but then from all of these outside well, I say outside meaning outside of the IRT, they all could still be internal employees. But gathering information from all of these different points to be able to help effectively make decisions which could change the way in which you do Incident Response fonts in the future.

29. Skills

So as we take a look at some of the skill sets that we should look at for those members in the incident response Team, they should come from a variety of technologies. But I’ve been saying that consistently as we’ve gone through here, that it’s not just the people that run the firewalls that are taking care of the security stuff, it comes from all aspects of information science. One of the big things is that they should all have some sort of personal skills. And that’s big because there’s a big I feel like a football coach, a big t here for team. And that means that we have to have communication skills that is interpersonal with the other team members, the ability to communicate through at least email, if not through written documents or over the phone. But the big thing is here is that we have to act as a team. I’m just going to keep rewriting and saying that we’re team. Go team.

Because we are trying to respond to these different events in a way that is organized. We’re trying to respond in a way that we all work together to be able to deal with whatever hits us as far as the different ways in which we respond. Obviously, at least some of the people in there should have leadership capabilities. Now when I do talk about leadership and leadership skills, that means that we have to sometimes get support from other members of the organization, maybe for even those who are not on the team because sometimes we need to have more help. And again, when it comes back to the communication skills, I could probably make a list. Like I said, we had to talk to the other team members but kind of going with that idea of leadership, there may be other members on the It staff that we need to be able to communicate.

We certainly have to deal with the users, or at least who I should say reported this incident because we do have to be able to gather more information from them. And like I said so many other times, we might have to talk to HR, to our legal division, maybe to outside law enforcement as well, public relations teams who may be trying to take care of damage to the reputation. Obviously we need to have presentation skills because one of the things that I’ve said is that at some point we’re going to have a final report. We have to be able to send that information up to those at the top of the organizational chart or at least to business managers to help them with making decisions. We might have to not only do final reports, but actually do some sort of presentation.

Well, I guess that’s repeating the word. What’s a better word that I’m looking for here? Like a panel discussion. So we have to be comfortable in group talking or some public speaking. And as I’ve already said over and over again. There’s that word again, team. We have to remember that. We have to be productive. One of the things that I always notice is sometimes what I call the silo effect. The silo effect is where you may have members of a team that are from, let’s say, the firewall group, and they want to just deal with everything within that firewall group. There’s my silo. And they don’t want to communicate to people who are in the operating systems. Maybe they say, oh, you guys don’t know what you’re doing with security. You’re just running a bunch of servers and so that communication can break down.

We don’t want that. We want this to be an interactive collaboration back and forth with each other. And that’s really kind of important. If I were to try to list some other personal skills that might also be helpful, one of them is integrity. And integrity. I don’t want to say it’s like morals or ethics, but more the fact that we may end up working with sensitive information and you might be given some more escalated privileges to get a hold of information that the PR people would be absolutely frightened if you gave them that information, right? If you leaked it out to the news or tried to grandstand in some aspect. So we need to know that you are going to hold that information in confidence. Another thing, maybe self understanding.

So what do I mean by self understanding? Well, it’s okay to say I don’t know at all. And if you get to a point where you might be going outside of the expertise that you have, that it’s okay to get help. As I teach classes, one of the first things I tell students, I say, you know, please ask questions because you know, it’s your class. You want to ask those questions. And and I tell them I say jokingly, I say if I don’t know the answer to the question, I’ll make something up and say it authoritatively. But no, that’s a joke. And hopefully they take it as a joke because what it does is if I don’t know the answer and I go do the research and I come up with the answer, I learn something. It makes me smarter. That’s kind of a part of self understanding, I guess you could say.

Another skill that I would say that you need is problem solving. And that’s important because nothing is going to be in a cookie cutter approach. You’re going to be having to look at a lot of different issues, a lot of perhaps overwhelming amounts of data, and sometimes you have to think a little bit out of the box. And that’s an important aspect. And I’ve also said this many times, time management time is important to us. We’ve got to get these events cleared quickly. And so that’s maybe something else. A couple of other things I’d put in there as personal skills. All right, as far as the technical skills, nobody’s expected to be an expert on everything. And so you should have the appropriate types of skills in the technology that you use. At least, if anything, having a basic understanding.

If somebody were to come to me and tell me that they think there’s a problem perhaps with the voice over IP, all right, whether I’m an expert of voiceover IP or not, I should at least have a basic understanding of what that means.I mean, basically that’s saying that I’ve got two telephones or more that are connected on my usually ethernet network and that they usually have some sort of centralized call manager that they use to do call setups and then are able to communicate with each other through IP addresses, even though technically you’re dialing a phone number. And if I had at least that basic understanding, then conceptually it’s easier for somebody to explain to me what a problem is and perhaps I have the ability to add something to the conversation, being able to make decision points.

Okay, now again, that’s not always for everyone, right? I did say that at least we should have a team member that is able to do that for us. And of course, maybe any other supporting skills like just basic incident handling skills, being able to deal with the stress of having to work through these problems, or even if it’s not that kind of a supporting skill, maybe it’s a skill that you have with a special piece of software or hardware. For instance, if we’re looking at some sort of an attack, maybe you have a specific piece of hardware that can sniff the traffic on Wired network and that you know how to use and capture that information, maybe even analyze it sometimes. Call it like a protocol analyzer to be able to offer more information about the actual incident that’s going on.

30. Awareness and Education

Another aspect that we should look at is awareness and education. Now, what that means is, as we’re putting this team together you may have to actually train your employees to become experts. Meaning that they may have to go to specialized training or specialized types of vendor education, I guess still part of training to help them become experts within the organization that can be a part of the team and can help in the response to these different events. If not, you may have to contract with a third party to get their technical experts. Again, it really depends on the budget. It depends on the size of the organization.

I’ve certainly worked with some of the small companies, the 50 or fewer people that might have one or two people that take care of all of what we would call it. They would deal with the desktops, the servers, the network infrastructure, the security. And they may not be complete experts within each one of those. I mean, they have usually these people with a wide variety of knowledge. And it may be more feasible, rather than trying to get more people together and train them to be experts than it is for you to have your sometimes we call them VARs, your resellers or other contractors that can come in on an on call basis and act as that technical expert for you.

• Category: Uncategorized