craft your cyber incident response plan (before it's too late)

© 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential.

Cyber Incident Response

Agenda

§  Introductions §  Cyber Incident Response

–  The process –  Tips for getting it right

§  Today’s reality with breaches – CSO versus CPO

§  Q&A

Introductions: Today’s Speakers

§  Gant Redmon, GC and VP Business Development, Co3 –  Former CPO of Arbor Networks, Inc. –  General Counsel for 12 years

§  Ellen Giblin, Privacy Counsel, Ashcroft Law Firm –  Internationally-recognized expert in privacy, data breach, data

protection, cyber security, and information management –  Privacy Counsel at Littler Mendelson P.C. –  Privacy Officer for Citizens Financial Group

CYBER INCIDENT RESPONSE PLANS

Cyber Incident Response Plans

§  Every company should develop a written cyber incident response plan –  Not only is it a good idea, some regulations require it

§  The plan should document cyber attack scenarios and define

appropriate responses

§  The plan should include: –  Response team –  Reporting –  Initial response –  Investigation –  Recovery and follow-up –  Public relations –  Law enforcement

Cyber Incident Response Team

The response team should:

•  Identify and classify cyber attack scenarios •  Determine the tools and technology used to detect attacks •  Develop a checklist for handling initial investigations of cyber

attacks •  Determine the scope of an internal investigation once an attack

has occurred •  Conduct any investigations within the determined scope •  Address data breach issues, including notification requirements •  Conduct follow up reviews on the effectiveness of the company's

response to an actual attack

Discovery and Reporting of Cyber Incidents

§  Define procedures for cyber attack discovery and reporting, including: –  Team members who monitor industry practices to ensure that:

•  information systems are appropriately updated; and •  information systems are instrumented to allow for early

discovery of attacks –  A database to track all reported incidents –  A risk rating to classify all reported incidents (ex. low,

medium, or high) and facilitate the appropriate response

Initial Response to a Cyber Attack

•  Conduct a preliminary investigation to determine whether a cyber attack has occurred •  follow the investigation checklist set out in the cyber incident

response plan •  The initial response varies depending on the type of attack and level

of seriousness. However, the response team should aim to: •  Stop the cyber intrusions from spreading further into the

company's computer systems •  Appropriately document the investigation

Investigating a Cyber Attack

§  A formal internal investigation may be required depending on: –  the level of intrusion –  its impact on critical business functions

§  An internal investigation allows the company to: –  Fully understand the intrusion –  Fotn its chances of identifying the attacker –  Detect previously-unknown security vulnerabilities –  Identify required improvements to IT systems

§  If the company's response team or IT department lacks the capacity or expertise to conduct an internal investigation the company may wish to retain:

•  Legal counsel •  A cyber security consultant

Common Cyber Attack Scenarios

•  Cyber attacks often fall into one or more common scenarios •  Anticipate and prepare for these common scenarios in advance and

provide preliminary investigatory questions for each

•  Obtaining fast and accurate answers to these questions helps shape and expedite the investigation

Recovery and Follow-Up After a Cyber Attack

§  Address the recovery of IT systems by both: –  Eliminating the vulnerabilities exploited by the attacker and

any other identified vulnerabilities –  Bringing the repaired systems back online

§  Once systems are restored:

–  Determine what improvements are needed to prevent similar incidents from reoccurring

–  Evaluate how the response team executed the response plan

The Role of the CPO in a Breach

§  Understand the efforts underway by security staff to ‘plug the gaps’ and restore integrity

§  Realize that there may be a conflict of interest

§  Know how to align and satisfy all our organization’s requirements

Suggestions

§  Working with Security in advance is vital, knowing where the tensions are, and what you’ll do to resolve them is key to success

§  Early triage is critical to determining if PI has been exposed

§  Establish Executive support in advance of a breach for anything that may look contentious

§  Have a clear process that coordinates activities across multiple groups to ensure an efficient organizational response

§  Conduct dry runs, simulations or tabletops – it will illuminate where there are potential issues – make sure to test out multiple scenarios

Security and Privacy – the Yin and the Yang

CPO-Driven Response

Cyber Incidents •  Cyber breach •  DDoS •  Malware, etc.

CISO-Driven Response

§  IT/Security: protect the integrity and continuity of business operations §  Privacy: protect customers and employees

aligning objectives

PII Exposed

Combined Response

5 Rules for Working With Your CSO

§  Rule #1: Know Your History –  The modern day CSO has been around about the same amount

of time as the CPO

–  The CPO title came about in the mid to late 90s with the advent of GLB and HIPAA

–  The CSO title (as opposed to the CiSO title) arose after 9/11 with the increased focus on security

–  The CPO role weakened following 9/11 but has strengthened as personal information becomes basis of corporate value


§  Rule #2 Accept Your Co-Dependence –  Privacy and Security are intertwined. You can have security

without privacy, but you can’t have privacy without security

–  You can promise not to share information, but that doesn’t do much good if any hacker can just steal it

–  There’s no responding to a data breach if you don’t know about it or you can’t identify what information has been accessed

–  IT is generally the real first responder. They are the ER triage of data breach response


§  Rule #3 Empathize with Your CSO –  CSOs stockpile data. CPOs are minimalist. Show your CSO the

advantages of cleaning house •  Data retention policy compliance •  eDiscovery advantages •  Less exposure if a breach occurs if there is less sensitive data available

–  Follow the Data •  The CSO knows the flow of data within the organization. You need to work with CSO

to understand this flow and do your job •  Once you understand the flow of data, you can compare it to the business process

that drives that flow •  With an understanding the flow of data and the business process, you can make

suggestions that take into consideration the value proposition of the use of customer data

•  Many companies see the role of CPO as driving internal process improvement

–  Privacy can be an unnatural act for the CSO •  The CSO is charged with protecting the perimeter •  The CPO may be asking the CSO for “holes below the waterline” in the perimeter for

purposes of information owner inspection and verification


§  Rule #4 Stop Talking “Privacy” –  Privacy is a loaded word. It’s like saying “conservative” or

“liberal.” Use a word your CSO and others can rally around.

–  Call it “Information Governance” •  Information governance encompasses information management, security,

use, and data strategy •  Information governance can refer to a lifecycle: how we create

information, how we keep it safe and secure and accessible during its lifecycle, and how we thoughtfully dispose of it

–  Information governance rings true with the legal department •  Can refer to data retention and eDiscovery •  Positions you as a bridge between the GC and CSO •  GCs didn’t go to law school because of their engineering prowess. Give

them a hand


§  Rule #5 Keep Your Head Out of the Boat –  A CSO’s role is largely inward looking. They must protect corporate assets and

keep the system running

–  The CPO’s role is outward facing because they act as the customers' and employees' advocate within the company

–  Customer/Client advocacy translates to corporate revenue. Ask yourself what other department uses this argument to drive change within your organization

–  The CPO must be business savvy and navigate conflicting interests of business needs, customer expectation and legal requirements

–  If the CPO can prove him or herself to be an ally with management in the balancing of concerns, then that CPO will be embraced by those above

–  If the CPO is embraced by the management team, the CPO is more likely to be have a good working relationship with the CSO


§  Bonus Rule #6 Embrace Technology to Improve Processes and Efficiency –  CSOs make their career out of using software to improve

process – conversations will go well if you speak their language

–  CSOs can use software as “breach triage” as well as for escalating events to the CPO

–  Using software to diagnose an event makes the outcome and action plan both objective and quantifiable. These are traits valued by both the GC and CSO

–  Build a dashboard. CSOs love them as a way to stay in the loop and remain part of an incident response

Thanks!

Gartner: “Co3 …define(s) what software packages for privacy look like.”

1 Alewife Center, Suite 450 Cambridge, MA 02140 ph: 617.206.3900 e: [email protected]

www.co3sys.com

1100 Main Street, Suite 2710 Kansas City, MO 64105 ph: 816.285.7600 e: [email protected]

www.ashcroftgroupllc.com/law/