1. Info-Tech Research Group1 1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2015 Info-Tech Research Group Inc. V4 Develop and Implement a Security Incident Management Program Create a scalable incident response program without breaking the bank. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2015 Info-Tech Research Group

2. Info-Tech Research Group2 2 Table of contents 1. Title 2. Introduction 3. Project Rationale 4. Execute the Project/DIY Guide 4.1. Phase 1: Prepare 4.2. Phase 2: Operate 4.3. Phase 3: Maintain & Optimize 5. Summary/Conclusion 6. Next Steps 7. Bibliography

3. Info-Tech Research Group3 3 This Research is Designed For:This Research Will Help You: This Research Will Assist:This Research Will Help You: This Research Is Designed For:This Research Will Help You: This Research Will Also Assist:This Research Will Help Them: Our understanding of the problem A CISO who is dealing with the following: Inefficient use of time and money when retroactively responding to incidents, negatively affecting revenue and workflow of the business. Resistance from management to adequately develop a formal incident response plan. A lack of closure of incidents resulting in being re-victimized by the same vector. Develop a consistent, scalable, and usable incident response program that is not resource-intensive. Formally track and communicate incident response. Reduce the overall impact of incidents over time. Learn from past incidents to improve future response processes. Business stakeholders who are responsible for the following: Improving workflow and managing operations in the event of security incidents to reduce any adverse business impacts. Ensuring that incident response compliance requirements are being adhered to. Efficiently allocate resources to improve incident response in terms of incident frequency, response time, and cost. Effectively communicate expectations and responsibilities to users.

4. Info-Tech Research Group4 4 Insurance company put incident response aside, execs unhappy Organization implemented ITIL, but formal program design became less of a priority and turned more ad hoc. Situation Ad hoc processes created management dissatisfaction around the organization’s ineffective responses to data breaches. Because of the lack of formal process, an entirely new security team needed to be developed, costing people their positions. Challenges Lack of criteria to categorize and classify security incidents. The need to overhaul the long-standing, but ineffective, program means attempting to change mindsets, which can be time consuming. Help desk not very knowledgeable on security. New incident response program needs to be in alignment with data classification policy and business continuity. There is a lack of integration with MSSP’s ticketing system. Next steps: Need to get stakeholder buy-in for a new program. Begin to establish classification/reporting procedures. Follow this case study to Phase 1

5. Info-Tech Research Group5 5 It’s only a matter of time before you will be dealing with a security incident Prepare for inevitable security incidents that can easily turn into costly security breaches. Security Incident Response Security Event Security Breach An observable occurrence in a system or network. E.g. user logs into a network; password attempt failure A security event that compromises the confidentiality, integrity, or availability of an information asset. E.g. 20 failed password attempts in the same minute A systematic process to mitigate the impact of security incidents and to remediate the affected system(s). A security incident that is severe enough to result in the disclosure or potential exposure of data, requiring notification to affected parties. Average cost of data breach: $140/record lost or stolen Cost of breach reduced by average of $12.77/record when incident response plan is implemented Being prepared for incident response is one of the most effective methods of reducing damage. 91% of companies surveyed had at least one external IT security incident. 85% of companies surveyed had at least one internal IT security incident. Source: Ponemon Institute, Cost of a Data Breach, 2014 Source: Kaspersky Lab, 2013

6. Info-Tech Research Group6 6 Incident response management is a key component of the foundation of any comprehensive security strategy Incident response management is fundamental in providing clear accountability, ownership, and defined processes for a mature information security program. Security Analytics Security Governance Services Security Policies, Info. Risk Mgmt., InfoSec Compliance, Incident Response Staffing, training, organization, policy, architecture Network Security Services NGFW IDPS Net DLP NAC Etc. Identity Security Services IdM SSO MFA UP/DP Etc. Asset Security Services Data Endpoints Apps Mega Trend Mappings Cloud, mobility, big data, consumerization/BYOX Advanced Persistent Threat Protection

7. Info-Tech Research Group7 7 Resolution Situation ! Complication ? Info-Tech Insight Executive Summary Security incidents are inevitable, but how they’re dealt with can make or break an organization. Poor incident response negatively affects business practices, including workflow, revenue generation, and public image. The incident response of most organizations is ad hoc, at best. A formal management plan is rarely developed or adhered to, resulting in ineffective firefighting responses and inefficient allocation of resources. Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities. This blueprint will walk through the steps of developing a scalable and systematic incident response program relevant to your organization. Organizations can’t rely on “out-of-the- box” classifications anymore. They’re too broad and easy to ignore. Save your organization response time and confusion by developing your own specific incident use cases. Results of incident response must be analyzed, tracked, and reviewed regularly. Otherwise a lack of comprehensive understanding of trends and patterns regarding incidents leads to being re-victimized by the same vector. Establish communication processes and channels well in advance of a crisis. Don’t wait until a state of panic. Collaborate and share information mutually with other organizations to stay ahead of incoming threats. Tracked incidents are often classified into “out-of-the-box” categories that are not necessarily applicable to the organization. With so many classifications, tracking becomes inefficient and indigestible, allowing major incidents to fall through the cracks. Outcomes of incident response tactics are not formally tracked or communicated, resulting in a lack of comprehensive understanding of trends and patterns regarding incidents, leading to being re-victimized by the same vector. Having a formal incident response document to meet compliance requirements is not useful if no one is adhering to it.

8. Info-Tech Research Group8 8 Day 1Day 2Day 3Day 4Day 5 PreparationWorkshop Day Working Session Workshop Preparation Review existing incident management documentation Morning Itinerary Assess needs via Incident Management Checklist Customize Stakeholder Proposal Template Customize Incident Management Policy Afternoon Itinerary Identify members of the Security Incident Response Team Customize Incident Management Guide Morning Itinerary Introduce Security Incident Use Cases Prioritize development of use case documents Afternoon Itinerary Develop use case documents Morning Itinerary Identify key metrics to track Determine reassessment plan Afternoon Itinerary Customize communication templates for internal use Introduce external communication plans Workshop Debrief Finalize and review documents Next Steps Schedule review call Schedule follow-up call with analysts to discuss progress three months out Workshop overview This workshop can be deployed as either a four- or five-day engagement depending on the level of preparation completed by the client prior to the facilitator arriving onsite. The light blue slides at the end of each section highlight the key activities and exercises that will be completed during the engagement with our analyst team. Contact your account representative or email Workshops@InfoTech.com for more information.Workshops@InfoTech.com

9. Info-Tech Research Group9 9 There is more value in security incident management than just increasing security Increased operational efficiency in terms of asset management, change control, etc. Reduced probability of large breaches Improved standardization of data collection Increased accountability Enhanced overall security posture Better prepared for auditing and compliance requirements This blueprint applies to you whether you need to develop an incident response plan from scratch or optimizing and you are updating your current strategy. Impact Value of developing security incident management: Short term: Streamline the process of formalizing an incident management program customized to your organization-specific needs. Respond faster and more effectively by leveraging a mature process rather than starting from scratch. Long term: Once the program is in place, damage will be minimized. As incidents are properly tracked, analyzed, and handled according to a well-defined process, potential breaches will be reduced to minor incidents. Impact Value of Info-Tech’s Security Incident Management blueprint: Classification standards Improved detection and identification processes Application of intelligence gathered from previous incidents leading to continuous improvements Templates to document accountability and post-incident metrics Strategy around incident identification, mitigation, and post-mortem Process around effective maintenance and optimization of your incident response operations

10. Info-Tech Research Group10Info-Tech Research Group10 Your incidents may differ, but a standard response ensures practical security. Incident management is essential to every sized organization Compliance Standard ExamplesDescription FISMA (http://csrc.nist.gov/drivers/documents/F ISMA-final.pdf)http://csrc.nist.gov/drivers/documents/F ISMA-final.pdf Organizations must have “procedures for detecting, reporting, and responding to security incidents.” (2002) They must also “inform operators of agency information systems about current and potential information security threats, and vulnerabilities.” Federal Information Processing Standards (FIPS) (http://csrc.nist.gov/publications/fips/fips 200/FIPS-200-final-march.pdf)http://csrc.nist.gov/publications/fips/fips 200/FIPS-200-final-march.pdf “Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.” PCI-DSS v3 (https://www.pcisecuritystandards.org/d ocuments/PCI_DSS_v3.pdf)https://www.pcisecuritystandards.org/d ocuments/PCI_DSS_v3.pdf 12.5.3: “Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.” Health Insurance Portability and Accountability Act (HIPAA) (http://www.hhs.gov/ocr/privacy/hipaa/a dministrative/securityrule/adminsafegua rds.pdf)http://www.hhs.gov/ocr/privacy/hipaa/a dministrative/securityrule/adminsafegua rds.pdf 164.308: Response and Reporting – “Identify and respond to suspected or known security incidents; mitigate, to the extend practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.” Certain regulations and laws require incident response to be a mandatory process in organizations: Security incident management is applicable to all verticals. Examples: Finance Insurance Health care Public administration Education services Professional services Scientific and technical services

11. Info-Tech Research Group11Info-Tech Research Group11 Info-Tech offers various levels of project support to best suit your needs DIY Toolkit Guided Implementation Workshop Consulting Info-Tech Involvement “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” Degree of Customization Diagnostics and consistent frameworks used throughout four options

12. Info-Tech Research Group12Info-Tech Research Group12 Info-Tech Research Group Helps IT Professionals To: Sign up for free trial membership to get practical solutions for your IT challenges www.infotech.com Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889