4.    Create a policy or procedure that addresses events such as: a disaster recovery plan, a business continuity plan, an incident response policy, an acceptable usage document, an information security policy, a physical security policy, assessments or troubleshooting procedures.

 

Incident Response 
Tate Gentry
University of Advancing Technology

​

    In this paper I will be talking about Incident Response, Business Continuity, Disaster Recovery, Computer Forensics, and Crisis Management. I will also be talking about how they relate to each other and explain how they all come together during a security breach. 

    When dealing with a data breach of any magnitude there are specific steps (before and after) that must be followed to ensure the safety of your customers and the eradication of the breaches source. The first step is preparation, this is to ensure that your employees and IT division are well trained and have the proper technology in place to detect a breach. It is also a good measure to conduct mock data breaches for your team to ensure that they know how to deal with any situation if it should arise. The second step is identification, this is to ensure that you have a fast and effective way of detecting any issues that require your team to respond. For example, having endpoint detection and response along with network traffic analysis will greatly benefit monitoring for suspicious network activity. The third step is data access and security, you need a way to log who has access to critical information and what changes are made. This can be effectively done with file server auditing software as it keeps logs of users with access and shows when and what files are accessed and by whom. The fourth step is containment and intelligence gathering, this step is to contain the threat and stop any more data from being accessed or damage being done. It is also the step in which everything needs to be logged into an incident response form. These are essential to the process as they are going to be needed for legal proceedings to potentially apprehend the cyber-criminal. The fifth step is the eradication ad remediation phase, this happens after the breach has been contained and analyzed. This is when your team begins to work on why it happened and plugging the hole. An overlooked portion to this step is also notifying those infected even if it requires a large-scale announcement. The sixth and final step is the recovery phase, where everything is set back to normal and systems are closely monitored to ensure nothing else has been compromised. 

    Every other topic that I introduce from here on out will fall under one of the steps to proper incident response and is used to correlate when things should be done and how it all comes together. The first topic I will be introducing is crisis management, this falls under steps 4 and 5 and deals with how a crisis is dealt with from when it arises to the removal and remediation. It is essential that any business has the necessary steps in place to ensure that a data breach is handled properly and documented. The next topic is computer forensics, this falls under step 4 and includes the intelligence gathering and documentation of the breach. It is essential that the digital footprint left behind from the attacker is analyzed and documented and submit to the police. Computer forensics also can be apart of step 5 as you may be looking for more information while removing and remediating the breach hole. The third topic is going to be business continuity. This is one major part that I believe needs to not be overlooked and handled properly. Mainly it is essential to get everything back to working order FIRST before notifying anyone. However, it is also extremely important to be transparent on the issue and to notify those affected. For example, if sensitive customer data was accessed even for a second. It is the job of the company to relay any findings to the customers to not only keep customers coming back, but to also keep them feeling safe. Overall, there are many ways you can go about doing these things differently however, be prepared for backlash if you decide to go about this differently. Just look at how target handled their data breach. There was extreme anger from customers at the lack of transparency and information available on it. They also announced the breach before it was patched which caused panic.