albany bank corporation security incident management program

Albany Bank CorporationSecurity Incident Management Program

2

CONSULTANTS• Taurus Allen

• Destiny Dyer

• Marta Pelyo

• Daniel Post

• Michele Reina

• Robert Warshauer

3

PROJECT OBJECTIVES

1. Create an effective security incident management program 2. Compliance with regulatory and industry standards3. Identifying potential vendors 4. Implementation of roadmap

4

AGENDA

• Project Approach• Bank Profile• Purpose of Security Incident Management Program• Industry Regulations and Standards• Explanation of Proposed Program• Workflow• Vendor Recommendations • Roadmap

5

PROJECT APPROACH

Objective: To assist ABC with creating and recommending a security incident management program.

Research of Current Events, Weekly Status Report, Project Timeline, Peer Evaluations

Phase 1

Planning and Content Research

Phase 2 Content

Development and Recommendations

Phase 3

Final Presentation and Preparation

6

BANK PROFILE

Overview:• 20th largest bank in the United States• Specializes in commercial, retail, investment banking• Holds $50 billion of assets

Problems Facing Albany Bank Corporation:• Well known hacking group breached security records• Approximately 20 million customer records compromised• ABC did not have formal incident security program in place• Reputational and financial losses

7

RECENT BREACHESThese breaches occurred due to lack of:• Adequate cyber security

• Detailed incident response procedures

• Efficient detection/analysis and containment strategies

8

SECURITY INCIDENT MANAGEMENT OBJECTIVE

• Process of monitoring and detecting threats to a network

• Encompasses integrating IT management systems

• Identifies and prioritizes incidents based on business impact

• Used to protect confidential data NIST Cybersecurity Framework

9

INDUSTRY REGULATIONS: FFIEC

Purpose: To develop and ensure uniformity of report forms, standards, and principles for financial institutions

Incident Management Requirements: • Periodic risk assessments

• Layered security controls

• Member awareness and education

• Ad-Hoc activity monitoring

• Defined escalation protocols

10

INDUSTRY STANDARDS: ISO 27001-27002

Purpose: To provide a model for Information Security Management System

Incident Management Requirements:• Management of information security risks• Develop criteria for accepting risks and identifying level of risks• Identify and evaluate options for treatment of risks • Implement training and awareness programs

11

INDUSTRY STANDARDS: NIST 800-61 REV 2Purpose: Computer Security Incident Handling Guide Incident Management Requirements:• Procedure for performing incident handling and communication

• Incorporation of response teams in incident handling process

• Reduce frequency of incidents

12

INCIDENT RESPONSE LIFECYCLESteps:• Preparation

• Detection

• Analysis/Classification • Containment

• Eradication/Recovery

• Post-Incident Activity

13

INCIDENT RESPONSE LIFECYCLE: PREPARATION

Checklist to ensure that all pivotal functions and procedures of incident response program are being performed

14

INCIDENT RESPONSE LIFECYCLE: PREPARATION• Establish escalation procedures and response teams

• Improve educational awareness

• Training sessions

• Document procedure checklist

• Implement a playbook system

• Install malware protection software

• Create a simulated attack program to test response teams

15

INCIDENT RESPONSE LIFECYCLE: DETECTION• C03 automated system • Report incident: Ticketing System

• Open Ticket Here• Triage Incident

• Significance of the constituency• Experience of the incident reporter• Severity of the incident

16

INCIDENT RESPONSE LIFECYCLE: ANALYSIS/CLASSIFICATION

Financial Ranges Users

Critical Loss of more than $5 Million Affects 76%-100%

High Loss between $3 – 5 Million Affects 51%-75%

Medium Loss between $1 – 3 Million Affects 25%-50%

Low Loss of less than $1 Million Affects 0-24%

Impact: Measures the effect of an incident on the company

17

Core Business Operations

Critical Interferes with core business functions or loss of critical data

HighInterferes with non-core activities or

functions that do not affect the entire company

MediumInterferes with normal completion of work or tasks that are more difficult

but not impossible to complete

LowInterferes with non-business related

use

Urgency: Measures the effect an incident has on the core business functions

INCIDENT RESPONSE LIFECYCLE: ANALYSIS/CLASSIFICATION

18

INCIDENT RESPONSE LIFECYCLE: ANALYSIS/CLASSIFICATION

Incident Priority Timeframe

Critical Action within 1 hourResolution within 1 day

High Action within 2 hoursResolution within 2 days

Medium Action within 1 dayResolution within 5 days

Low Action within 2 daysResolution within 7 days

Response and Resolution Time for Incidents:

19

INCIDENT RESPONSE LIFECYCLE: ANALYSIS/CLASSIFICATIONIncident Classification Matrix

Impact

Matrix Key

Critical Red

High Black

Medium Gray

Low White

20

INCIDENT RESPONSE WORKFLOW

21

22

INCIDENT RESPONSE LIFECYCLE: DETECTION/ANALYSISDetection / Analysis Checklist:

23

INCIDENT RESPONSE LIFECYCLE: CONTAINMENT

• Sandbox method: Threat quarantined, assessed and monitored• Freeze assets threatened• Suspend network services• Protect the chain of custody

24

INCIDENT RESPONSE LIFECYCLE: ERADICATION/RECOVERY

Checklist • What information is

recoverable• What information is

permanently lost• Timeline of recovery

Restore systems • Change passwords• Tighten network• Replace compromised

files• Install patches

25

INCIDENT RESPONSE LIFECYCLE: ERADICATION/RECOVERYEradication/Recovery Checklist:

26

INCIDENT RESPONSE LIFECYCLE: POST-INCIDENT Perpetual loop of improvement:

• Improve technology • Follow up report• Lessons learned meeting• Trend analysis team• Communicate incidents to affected users

Post-Incident Checklist

27

IDENTIFYING POTENTIAL VENDORSVendor Checklist

28

IDENTIFYING POTENTIAL VENDORS

29

IDENTIFYING POTENTIAL VENDORS

• Ticketing system• Compliance of Security Incident Response Cycle• Risk assessment

• Auditing• Employee training• Single user sign on

• Workflow• Matrix• Automatic response system

• Advanced layered security • Risk management• Compliance

Major Solutions Offered:

30

SECURITY MANAGEMENT PROGRAM: ROADMAP

• 0-3 Months• Preparation

Step I

• 3-6 Months• Implementation

Step II

• 6-18 Months• Finalization

Step III

31

PHASE ONE: 0-3 MONTHS

• Research of regulation and standards • Finalize business function requirements• Implement response teams: red, black, gray, and white• Perform vendor selection• Effective escalation process (via use of teams)• Manual management for short term security incident response

program

32

PHASE TWO: 3-6 MONTHS

• Implement the selected vendor tools• Implement the workflow• Implement the tool for manual • Define and document incident response plans• Implement incident management and ticketing system• Continuous management of any security incident

33

PHASE THREE: 6-18 MONTHS

• Perform security response testing/training• Initiate a communication plan for security incident management program for

internal/external stakeholders • Meets legal and regulatory tandards• Employee education and training • Customer awareness• Vendor training: Roles and responsibilities• Trend analysis capability

34

MEASURE OF SUCCESS

• How fast was incident contained?• How quickly did Albany Bank Corporation recover from the incident?• How well did Albany Bank Corporation mitigate their losses?• How effective was Albany Bank Corporation’s communication of incident?

35

• Initiate Incident Response Program

• Quarterly assessment of risks

• Annual testing of response teams and procedures

We guarantee to help

“Chase Risk Away”

NEXT STEP RECOMMENDATIONS