Download - Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and Incidents to the SEC

Using the IncMan Suite to Manage

the Reporting of Cyber Security Risks and Incidents to the SEC

SEC Cyber Security Reporting

©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano

Page 1

Disclaimers The information contained in this document is the proprietary and exclusive property of DFLabs except as otherwise indicated. No part of this document, in whole or in part, may be reproduced, stored, transmitted, or used for design purposes without the prior written permission of DFLabs. The information contained in this document is subject to change without notice.

NO WARRANTY: The information in this document is provided for informational purposes only. DFLabs specifically disclaims all warranties, express or limited, including, but not limited, to the implied warranties of merchantability and fitness for a particular purpose, except as provided for in a separate software license agreement.

NOT LEGAL ADVICE: The ideas and opinions in this document are not to be construed as legal advice.

About DFLabs DFLabs is an ISO9001 certified company, specializing in Information Security Governance, Governance Risk and Compliance (GRC) and Business Security. Our mission is: Supporting Information Security Strategies and Guaranteeing Business Security. Proud of its professional experience, DFLabs provides consulting, services and technologies in the following areas: Network security, Information Security Strategy, Incident/Fraud Prevention and Response, Digital Forensics, e-discovery, Litigation Support, Infosec Training, Intrusion Prevention, Log and Vulnerability Management.

DFLabs is creator of the IncMan Suite, a comprehensive incident management solution. The IncMan Suite comprises three modules that can operate autonomously or in concert for a complete solution.

x Incident Manager (IMAN) is the integrated solution for the complete management of security incidents.

x Digital Investigation Manager (DIM) is digital evidence tracking software used in digital investigations. DIM has been designed and developed to be used for digital evidence process support during computer forensics and incident response operations.

x ITILity is a framework of best practices to manage IT operations and services. It is designed to provide a complete support solution, to streamline helpdesk processes.



Page 2

Table of Contents

Executive Summary .................................................................................................. 3

Business Challenges ................................................................................................ 4

Solution Description .................................................................................................. 8

Important Features ................................................................................................. 11

Technical Details .................................................................................................... 12

Summary ................................................................................................................ 12

More Information ..................................................................................................... 13

Works Cited ............................................................................................................ 13



Page 3

Executive Summary On October 13, 2011, the US Securities and Exchange Commission (SEC) published guidance regarding the obligations of companies registered with the SEC relating to cyber security risks and cyber security incidents. Although cyber security risks have always been a potential disclosure issue, this recently published guidance draws specific attention to the need of registrants to carefully analyze “if these issues are among the most significant factors that make an investment in the company speculative or risky.” [1]

In determining whether such disclosure is required, companies need to consider:

x Past Security Incidents

x The probability of security incidents occurring in the future, the magnitude of those risks, as well as the potential costs and consequences of those incidents

x The adequacy of the preventive actions taken to reduce cyber security risks

The SEC Guidance discussed in this paper provides several examples of cyber threats that can have a material impact on a company that investors have the right to be made aware of.

However, public disclosure of cyber risk and incidents must be done carefully. The SEC guidance recognizes that detailed disclosures could provide a roadmap to an attacker. Company executives have the difficult task of weighing the obligation to provide timely and comprehensive information while preserving customer and investor confidence. The stakes of this balancing act are heightened by the litigious climate facing companies doing business in the US.

This document will cover the challenges of assimilating all of the threats and attacks that a company is exposed to so that a proper risk assessment can be performed. Proper disclosure cannot be performed without competent analysis of the risks identified during a risk assessment. Not every breach will need to be reported, as the majority will not have the potential for a material impact to the company [2]. Deciding which security incidents to disclose is another critical management decision and it must be made in a timely manner.

The DFLabs IncMan Incident Management Suite not only provides your organization’s incident handlers with a framework for managing cyber security incidents, it provides management with insightful information for understanding the organization’s cyber risk profile and incident response trends, including actual costs of historical and current incident response activities.



Page 4

Business Challenges

Trade Secrets, Personally Identifiable Information, and Reputation In today’s information-based economy, it can be argued that information is the primary fuel of wealth creation. Information, combined with financial and human capital creates the combustion of prosperity. Competitive advantage arises based on how effectively organizational management leverages these three types of resources. Trade secrets are the information that provides competitive advantage. Companies need to devote appropriate resources to safeguarding this information, so as to protect their competitive advantage.

In order to for a company to do business, a modicum of trust must exist between the business and its customers. Each party to a transaction must trust that the transaction is fair. Some transactions require more trust than others, for example the trust relationship between a patient and a brain surgeon. Trust implies vulnerability. I do not have to trust you if I am not vulnerable to you [3]. To engage in most significant transactions, information must be exchanged, and the expectation is that the recipient can be trusted with the information.

The average consumer would rather not share intimate personal details with a large international organization but they will do so if they want the transaction to occur. Whether one is aware of it or not, the decision to trust and share personally identifiable information (PII) is based on a risk calculation that is part of our psychological hardwiring. An individual may not accurately perceive the risk [4] but it is clear that one’s experience and assessment of the other’s reputation are predominant factors in the decision making process [5].

To survive and thrive, organizations must diligently protect their trade secrets and those of their business partners. They must also safeguard the personal information entrusted to them by their customers. How effective an organization is at protecting these vital assets shapes its reputation and that reputation is a key factor in the growth or decline of a business.

Disclosure of Cyber Security Risks by Public Companies Investing is another transaction that has inherent risk and is based on trust. The US Securities and Exchange Commission (SEC) has stated that, “The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” [1]



Page 5

The SEC has noted that there is increased focus on the disclosure obligations of publically traded companies and has issued a document called CF Disclosure Guidance: Topic No. 2 – Cybersecurity (hereafter referred to as “the guidance”). Perhaps this is a response to several high profile security breaches at large public companies. The guidance states in its introduction, that as the increasing dependence on digital technologies has increased, “the risks to registrants associated with cybersecurity have also increased, resulting in more frequent and severe cyber incidents.” [1]

Attacks & Accidents In general terms, the goal of an attack is to make the adversary’s resources more valuable to the attacker (theft, for example) or less valuable to the adversary (such as “denial of service”). Attackers have a variety of motivations. Understanding these motivations is an important part of threat assessment.

However, not all security incidents are motivated by ill will toward the organization. In fact, many security incidents are due to errors and omissions. [6]

O r g a n i z a t i o n s m u s t p r o t e c t t h e m s e l v e s f r o m b o t h a t t a c k s a n d a c c i d e n t s .

Confidentiality, Integrity, and Availability Regardless of the motivation, a security incident will fall into one or more of the following categories:

x Threats to Confidentiality – A threat to confidentiality occurs when unauthorized access has been gained to a system containing secret information.

x Threats to Integrity – When a system has been attacked, users lose trust in the accuracy and reliability of the information contained therein.

x Threats to Availability – If users cannot access the information in a system, the value of that information is greatly diminished.



Page 6

Risk, Vulnerabilities, and Threats The common definition of cyber security risk is the likelihood that a threat will exploit a specific vulnerability. Risk management is the identification and prioritization of risks as well as the economical application of resources to reduce the impact of the adverse advent. [7]

By way of example, the SEC guidance discusses a variety of deliberate and unintentional cyber-attacks on confidentiality, integrity, and availability. The document states that successful attacks might result in the victim organization incurring substantial costs and negative consequences, such as:

x Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;

x Increased cyber security protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;

x Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;

x Litigation; and

x Reputational damage adversely affecting customer or investor confidence.

R i s k s h a v e t o b e p r i o r i t i z e d b e c a u s e t h e c o s t o f m i t i g a t i n g t h e r i s k c a n n o t o u t w e i g h t h e c o s t o f t h e a d v e r s e i m p a c t .

Determining What to Disclose The SEC guidance discusses the specifics of disclosing risks in the various sections of the SEC forms that cover:

x Risk Factors x Management’s Discussion and Analysis of Financial Condition and Results of

Operations (MD&A) x Description of Business x Legal Proceedings x Financial Statement Disclosures



Page 7

The disclosures must “adequately describe the nature of the material risks and specify how each risk affects the registrant [1].” Registrants are expected to evaluate their cyber security risks, considering all relevant information. The guidance specifically mentions:

x previous cyber security incidents and severity & frequency of those incidents; x the probability of future cyber security incidents and the potential magnitude of

those risks; and x the adequacy of the countermeasures taken to reduce cyber security risks.

A founding partner of the Information Law Group stated, “One read of this guidance is that companies internally are going to have to more carefully forecast and estimate the impact of cyber incidents and the consequences of failing to implement adequate security. This analysis will go well beyond privacy-related security issues where most companies have focused (due to various privacy laws and regulator activity), and implicate key operational issues impacted by security breaches.” [2]

Avoiding Litigation The stakes are very high. If a company does not adequately disclose cyber security risks they are potentially exposed to lawsuits and sanctions from the SEC. However, disclosing details about prior security incidents can also open the company up to additional lawsuits. One thing is sure, teams of lawyers and accountants are looking at both sides of this issue1 and plaintiffs will have no problems obtaining the funding to pursue class action lawsuits. [8]

1 The introduction to the SEC guidance stated that a motive for publishing the guidance was that “there has been increased focus by registrants and members of the legal and accounting professions on how these risks and their related impact on the operations of a registrant should be described within the framework of the disclosure obligations imposed by the federal securities laws” [1]



Page 8

Solution Description

Determination of Material Risks In order for management to determine which cyber security risks should be disclosed per the SEC guidance, it is important that the organization have a comprehensive security management program. There are three facets of the program that will be the biggest sources of information to the disclosure decision-making process:

x Incident Handling Case Management x Risk Assessments x Operational Security

The IncMan Suite from DFLabs is a comprehensive incident management framework that has functionality to meet the needs of security governance programs particularly in these three areas. This functionality is discussed in the following sections, with a focus on the needs of the decision makers involved in SEC reporting.

Figure 1 – The IncMan Dashboard gives a visual indication of critical metrics.



Page 9

Information on Past Security Incidents

The guidance states that historical security incident information is a consideration to be factored into the disclosure decision-making process. IncMan not only provides a workflow framework for an organization’s incident response team, it is also a repository of the team’s historical response activities. The IncMan Suite archives all case notes and evidence, preserving the chain of custody records. All cases are rated on a severity scale based on your organization’s criteria. Any lessons can be preserved with each case. All content is searchable.

A dashboard (see Figure 1) provides a high-level overview of aggregated case information, allowing managers to identify trends and see the financial impact of security incidents.

Probability & Impact of Future Security Incidents

While historical security incident information is an important factor in risk assessments, it provides only a partial picture because threats evolve rapidly. Security managers must also be aware of emerging attack trends, recently disclosed software vulnerabilities, as well as security incidents afflicting the organization’s industry peers.

One of the most important features of IncMan is its native support of the IODEF standard [9]. This capability allows IncMan to automatically receive incident reports from any CSIRT and create assignments for the organization’s response team to take preemptive actions.

T h e I n c M a n S u i t e a l l o w s s e c u r i t y m a n a g e r s t o a s s e s s t h e m a g n i t u d e o f r i s k , p o t e n t i a l c o s t s , a n d c o n s e q u e n c e s m a t e r i a l t h r e a t s t o t h e o r g a n i z a t i o n .

Because all security incidents (internal and external to the organization) are catalogued according to the IODEF data model, security managers are able to use the dashboard and report wizard to characterize emerging security incident trends and project the potential financial impact to the organization.



Page 10

Adequacy of Preventive Actions Taken to Reduce Risks

An important tenant of security is “prevention is important, but detection is a must!” Most secure organizations have adopted a defense-in-depth security philosophy with overlapping layers of preventive and detective security controls. The detective counter-measures are designed to raise an alert when preventive control has failed or has been circumvented. Generally, the more rapid the response to the incident, the lower the cost will be.

The IncMan Suite can integrate with all security devices that support XML and the common event format (CVE), such as all popular intrusion detection systems (IDS), intrusion prevention systems (IPS), and Security Event & Incident Management (SEIM) systems.

The data generated by IncMan will allow Security Managers to make an ongoing evaluation of the adequacy and cost effectiveness of the organization’s preventive and detective controls. As part of an operational security process, new procedures and incident response procedures are adapted to respond to organizational changes and evolving threats. These critical documents can be stored in the IncMan knowledge base for immediate access during an incident.

Supporting Documentation for SEC Disclosures As stated in the Business Challenges section of this paper, cyber security risk and incident disclosures may impact reputation, investor and customer confidence, as well as have legal ramifications. For this reason, it is anticipated that organizations will develop written criteria for internal use as to what constitutes a material disclosure. Customized reports can be created to provide the supporting documentation for the SEC disclosures.

Discovery & Legal Evidence The organization may become involved in legal action resulting from significant security incidents, either as a plaintiff or as a defendant. Corporate counsel can rest assured that all aspects of the incident response including artifacts and case notes are preserved in a forensically sound manner within the IncMan Suite. The suite provides for chain of custody tracking of all evidence and incorporates full support for digital forensic investigation activities.

Within the system, all activity is logged. Access to each case is controlled on a role-based, need-to-know basis as granted by a supervisor. When cases are closed, access can be revoked or changed to read only.



Page 11

Important Features The IncMan Suite is designed with the needs of enterprise incident response teams in mind. The following features make the system ideally suited to the challenge of disclosing material risks and incidents to the Securities and Exchange Commission:

x Workflow Management – Templates can be defined to pre-populate the security incident case record and tasks can be created and tracked.

x Dashboard – The configurable dashboard gives an overview of the incident response posture of the organization.

x Powerful Reporting – Reports can be customized to report exactly the information needed to support a material disclosure.

x GRC – Risk and compliance implications for every incident can be automatically directed to the appropriate management personnel.

x Preservation of Evidence and Chain of Custody – All activities are logged and all artifacts are preserved in a forensically sound manner.

x Knowledge Base – The knowledge base can be loaded with the organization’s policies, procedures, and criteria for a material disclosure.

x Case Activity Notifications – Email alerts can be configured to escalate incident cases to the appropriate level of management based upon severity.

x Automatic Integration with External Applications – Integration with Intrusion Detection Systems (IDS), Security Information Event Management (SIEM) systems, and all leading forensic tools. Examples include ArcSight, Netwitness, Access Data FTK, Solo III, X-Ways, Guidance Software Encase, PTK Forensics, RSA enviSion, Tableau and more.

The focus of this document is to highlight the value of the IncMan to security executives who make cyber security disclosures to the SEC, but it should be emphasized that value is derived from the fact that it is also an indispensable tool to the organization’s incident response team.



Page 12

Technical Details The IncMan Incident Management Suite is a secure web application designed to scale to the largest, geographically distributed enterprises. The system is provided as a virtual machine, a hardware appliance, or a multi-tiered cluster depending on the needs of the organization. Users access the system using a web browser or mobile device, such as an iPad. The user interface supports multiple languages.

Summary This document shows how the DFLabs IncMan Incident Management Suite is well suited to support the needs of Security Executives that must disclose cyber security risks and incidents to the US Securities and Exchange Commission. Although only material risks must be disclosed, deciding what to disclose is a decision that has significant consequences and should be based on specific criteria.

The IncMan Suite is designed to support and coordinate the incident management activities of an entire enterprise while providing governance with the necessary metrics needed to understand the organization’s cyber risk profile. The system can escalate situations to the appropriate levels of management when security incidents matching certain criteria occur or pre-defined thresholds are exceeded.

All historical costs and associated risks are tracked to allow for the reporting of the financial impact of incident response actions and the projection of future costs. This system helps security managers identify attack trends and assess the adequacy of the preventive measures that the organization is taking to reduce security risks.

While determining what to disclose to the SEC is still a tough executive decision, the IncMan Suite helps to facilitate the decision by providing the information that is critical to the decision making process.



Page 13

More Information To schedule a demonstration of the DFLabs IncMan Incident Management Suite or to learn more about our software products and services, contact Dale Wright at +01 410 381 4860, or email [email protected]. Visit our website at www.DFLabs.com.

Works Cited

[1] "CF Disclosure Guidance: Topic No. 2, Cybersecurity," Division of Corporation Finance, Securities and Exchange Commission, 13 October 2011. [Online]. Available: http://sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. [Accessed 24 October 2011].

[2] D. Navetta, "SEC Issues Guidance Concerning Cyber Security Incident Disclosure," Information Law Group, 14 October 2011. [Online]. Available: http://www.infolawgroup.com/2011/10/articles/breach-notice/sec-issues-guidance-concerning-cyber-security-incident-disclosure/. [Accessed 24 October 2011].

[3] C. McLeod, "Trust," The Stanford Encyclopedia of Philosophy, no. Spring 2011 Edition, 2011.

[4] D. Ropeik, How Risky Is It Really?, New York: McGraw-Hill, 2010.

[5] A. Partida and D. Andina, "Vulnerabilities, Threats and Risks in IT," in IT Security Management, vol. 61, Springer Netherlands, 2010, pp. 1-21.

[6] ITpolicyCompliance.com, "Taking Action to Protect Sensitive Data," March 2007. [Online]. Available: http://www.itpolicycompliance.com/research-reports/taking-action-to-protect-sensitive-data/. [Accessed 25 October 2011].

[7] D. W. Hubbard, The Failure of Risk Management, Hoboken, NJ: John Wiley & Sons, Inc., 2009.

[8] V. O'Connell, "Funds Spring Up to Invest in High-Stakes Litigation," 3 October 2011. [Online]. Available: http://online.wsj.com/article/SB10001424052970204226204576598842318233996.html. [Accessed 25 October 2011].

[9] R. Danyliw, J. Meijer and Y. Demchenko, "The Incident Object Description Exchange Format," December 2007. [Online]. Available: http://www.ietf.org/rfc/rfc5070.txt. [Accessed 8 November 2011].

mailto:[email protected]

http://www.dflabs.com/



Page 14

Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and Incidents to the SEC

DF LABS Srl, VAT and taxpayer number 04547850968 Address: Rep. Office: Via Bergognone, 31, cap 20144 Milano, Italy Labs: Via delle Macchinette, 27, 26013 Crema (CR), Italy Tel: +39 0373-83196 / +39 0373-223716 Fax: +39 0373 387605 / +39 02-700424607 Email: [email protected]

DFLabs - North America and South America Contact: Dale Wright Email: [email protected] Tel. +01 410 381 4860

DFLabs - Ɋɨɫɫɢɹ ɗɥɟɤɬɪɨɧɧɚɹ�ɩɨɱɬɚ��VDOHVBUXVVLD#GIOabs.com

DFLabs - Middle East, Dubai, UAE Contact: Dennis Oommen Email: [email protected] Tel: +97150 5515 480

About DFLabs

DFLabs is an ISO9001 certified company, specializing in Information Security Governance, Governance Risk and Compliance (GRC) and Business Security. DFLabs provides consulting, services and technologies in the following areas: Network security, Information Security Strategy, Incident/Fraud Prevention and Response, Digital Forensics, e-discovery, Litigation Support, Infosec Training, Intrusion Prevention, Log and Vulnerability Management.

About The Author

Kenneth G. Hartman is a Solution Architect for DFLabs. Ken holds multiple security certifications, including a CISSP. Prior to coming to DFLabs, Ken was a Security & Privacy Officer for a Healthcare Informatics company. Contact the author at [email protected].

Publication Date: 12/7/2011 ©2011 DFLabs srl

www.DFLabs.com

DFLabs North America and South America

Download - Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and Incidents to the SEC

Top Related