QUESTION
We purchased
your new Ransomware Policy and Procedures. It is very comprehensive. We
already have a policy for Ransomware; however, we are going to incorporate your
policy into ours.
I am the Chief Compliance Officer and an attorney. In our case, we are a large bank with multiple business units, hundreds of branches, thousands of loan officers, a substantial online presence, and several affiliated entities.
We have an Information Security Office, an Information Technology Operations Center, and an Information Privacy Office. Our CISO and CPO oversee cybersecurity issues involving the network architecture, operating system architecture, business applications, online sales, and internal auditing.
As a large company, we have unique compliance needs. I would like your answers to several questions that we constantly ask one another. We would appreciate your feedback on these questions.
Who are the stakeholders of an incident response team?
What are the responsibilities of the incident response team?
What are the suggested notification levels of escalation involving a cyberattack?
ANSWER
Your mentioning
of the offices under the CISO’s oversight in itself tells me that you have a
challenging and highly articulated risk profile. You provided supporting information to your questions, which I have not included herewith. For the sake of the
readership, some of your terminology may be new to them, so I will define certain
nomenclature in the course of responding to your questions.
Let’s begin with the definition of a security breach. For the sake of brevity, I define a security breach as an unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information. Ransomware endeavors to monetize that breach, where a hacker stealthily gets into a system and puts encryption controls in place that lock users out. Once that succeeds, the hacker demands money to "unlock" the data.
In a large company, protection from a security breach is guarded by various stakeholders. These individuals constitute a matrix of responsibilities, often through a “chain of command” configuration. Critical to countering a triggering event such as a ransomware demand is developing and maintaining an Incident Response Plan (“Plan”).
I define a Plan as a documented, clearly outlined, organized approach for handling any potential threat to computers and data, even, where necessary, taking appropriate action when the source of the intrusion or incident at a third party is traced back to the organization.
The Plan should identify and describe the roles and responsibilities of the Incident Response Team (“Team”). And the Team is responsible for putting the Plan into action.
The Team is established to provide a quick, effective and orderly response to computer-related incidents, such as virus infections, hacker attempts and break-ins, improper disclosure of confidential information to others, system service interruptions, ransomware attacks, breach of personal information, and other events with serious information security implications. In short, the Team’s mission is to prevent a severe loss of profits, public confidence, or information assets by providing an immediate, effective and skillful response to any unexpected event involving computer information systems, networks, or databases.
The kinds of security breaches that trigger the Plan include a breach of personal information, Denial of Service and Distributed Denial of Service, excessive port scans, ransomware attacks, firewall breaches, and virus outbreaks.
The Plan arrangement that you describe is consistent with large companies. It is the case that many large companies have a Plan that contains the personnel of the following offices, departments, and functions (“Stakeholders”):
- Information
Security Office (“ISO”) (“Chief Information Security Officer” or “CISO”)
- Information
Technology Operations Center (“ITOC”)
- Information
Privacy Office (“IPO”) (“Chief Privacy Officer” of “CPO”)
- Network
Architecture
- Operating
System Architecture (“Operations Center”)
- Business
Applications
- Online Sales
- Internal Auditing
So, based somewhat on your description, your Plan seems consistent with similar arrangements by large companies.
The Board or executive management must give the Team the requisite authority to take appropriate steps deemed necessary to identify, contain, mitigate, and resolve an adverse cybersecurity incident. Also, the Team is responsible for investigating suspected intrusion attempts or other security incidents in a timely, cost-effective manner and reporting its findings to management and the appropriate authorities as necessary. The CISO coordinates the Team.
The Information Technology Operations Center is the central point of contact for reporting computer incidents or intrusions. The Operations Center notifies the CISO.
All computer security incidents must be reported to the CISO. A preliminary analysis of the incident takes place by the CISO, determining whether the Incident Response Team activation is appropriate.
With respect to the rules and responsibilities of the Team, I offer the following list based on the forgoing matrix of Stakeholders. It is certainly not meant to be comprehensive but suggestive.
Information
Security Office
- Determines the nature and scope of the incident
- Contacts
qualified information security specialists for advice as needed
- Contacts
members of the Incident Response Team
- Determines
which Incident Response Team members play an active role in the investigation
- Provides proper
training on incident handling
- Escalates to
executive management as appropriate
- Contacts
auxiliary departments as appropriate
- Monitors
progress of the investigation
- Ensures
evidence gathering, the chain of custody, and preservation is appropriate
- Prepares a written summary of the incident and corrective action taken
Information Technology Operations Center
- Central point
of contact for all computer incidents
- Notifies Chief Information Security Office to activate computer incident response team
Information Privacy Office
- Coordinates
activities with the Information Security Office
- Documents the
types of personal information that may have been breached
- Provides
guidance throughout the investigation on issues relating to the privacy of
customer and employee personal information
- Assists in
developing appropriate communication to impacted parties
- Assesses the need to change privacy policies, procedures, and practices as a result of the breach
Network Architecture
- Analyzes
network traffic for signs of denial of service, distributed denial of service,
or other external attacks
- Runs tracing
tools such as “sniffers,”[i]
Transmission Control Protocol (TCP)[ii]
port monitors, and event loggers
- Looks for signs
of a firewall breach
- Contacts
external Internet service provider for assistance in handling the incident
- Takes action necessary to block traffic from a suspected intruder
Operating Systems Architecture
- Ensures all
service packs and patches are current on mission-critical computers
- Ensures backups
are in place for all critical systems
- Examines system logs of critical systems for unusual activity
Business Applications
- Monitors
business applications and services for signs of attack
- Reviews audit
logs of mission-critical servers for signs of suspicious activity
- Contacts the
Information Technology Operations Center with any information relating to a
suspected breach
- Collects pertinent information regarding the incident at the request of the Chief Information Security Office
Online Sales
- Monitors
business applications and services for signs of attack
- Reviews audit
logs of mission-critical servers for signs of suspicious activity
- Contacts the
Information Technology Operations Center with any information relating to a
suspected breach
- Collects pertinent information regarding the incident at the request of the Chief Information Security Office
Internal Auditing
- Reviews systems
to ensure compliance with information security policy and controls
- Performs
appropriate audit test work to ensure mission-critical systems are current with
service packs and patches
- Reports any system control gaps to management for corrective action
I found your question intriguing about escalating notification of a cybersecurity attack. Sometimes the path to the final decision maker is circuitous and time-consuming. During that interstitial period, the company may be unable to respond to the security threat effectively.
Using the outline I have set forth hereinabove, I think the “chain of command” escalation for notification should consist of following layers.
Escalation Notification
Escalation - First Level
- Chief Information
Security Officer (CISO)
- Data Processing
Operations
- IT Audit
Director
- Network
Architecture Manager
- Online Sales Director
Escalation - Second Level
- Chief
Information Officer (CIO)
- Chief Privacy
Officer (CPO)
- Chief Audit Executive
Adjunct Members (as needed)
- Business Client
Systems Manager
- Management of
Client Department Affected by Incident
- Risk Management
- Legal
- Loss Prevention
- Public Relations
External Contacts (as needed)
- Internet
Service Provider (if applicable)
- Internet Service Provider of Intruder (if applicable)
- Communications Carriers (local and long distance)
- Business Partners
- Insurance Carrier
- External Response Teams (as applicable)
- Law Enforcement
- Local Police Force (jurisdiction determined by crime)
- Federal Bureau of Investigation (FBI) (especially if a federal interest computer or a federal crime is involved)
- Secret Service
Given the size, complexity, and risk profile of your organization, I suggest the following departments and functions should be part of the Notification Need to Know:
Notification Need to Know
- Information Technology Operations Center (viz., the central point of contact)
- Information
Security Office
- Information
Privacy Office
- Appropriate
Client Systems Manager
- System
Administrator(s) of the area affected by an incident
- Manager of the area
affected by an incident
- Customer
Database Manager
- Payment Systems
Manager
- Legal Counsel
- Insurance
Department (i.e., Cyber Insurance)
- Public
Relations
- Online Sales
Manager
- Employee
Systems Manager (where appropriate)
- Network
Architectures Manager
- Internal
Auditing
- Risk Management
(where appropriate)
- Loss Prevention
(where appropriate)
- Executive VP
and CIO (When nature and impact of the incident has been determined)
- Chief Audit
Executive
- Business
Partners (if data has been compromised, and to avoid affiliate and downstream
liability)
[i] A “sniffer”
is a software or hardware tool that allows the user to “sniff” or monitor internet
traffic in real time, capturing all the data flowing to and from a computer.
[ii] Transmission
Control Protocol (TCP) is a communications standard that enables application
programs and computing devices to exchange messages over a network. It is
designed to send packets across the internet and ensure the successful delivery
of data and messages over networks.
