1 00:00:06,750 --> 00:00:09,040 - [Lecturer] As you can imagine, 2 00:00:09,040 --> 00:00:10,890 when it comes to incident response 3 00:00:10,890 --> 00:00:13,240 there are many stakeholders involved. 4 00:00:13,240 --> 00:00:15,620 It is important to identify those stakeholders 5 00:00:15,620 --> 00:00:18,020 before an incident happens. 6 00:00:18,020 --> 00:00:22,010 According to NIST SP800-61. 7 00:00:22,010 --> 00:00:23,830 It is important to identify groups 8 00:00:23,830 --> 00:00:27,220 within the organization that may need to participate 9 00:00:27,220 --> 00:00:28,730 in incident handling 10 00:00:28,730 --> 00:00:31,490 so that their cooperation can be solicited 11 00:00:31,490 --> 00:00:32,793 before it is needed. 12 00:00:33,630 --> 00:00:37,890 Every incident response team relies on the expertise, 13 00:00:37,890 --> 00:00:40,700 judgment and abilities of others. 14 00:00:40,700 --> 00:00:45,700 Including management, information assurance, 15 00:00:45,780 --> 00:00:47,520 IT support, 16 00:00:47,520 --> 00:00:48,373 legal, 17 00:00:49,370 --> 00:00:50,280 public affairs 18 00:00:50,280 --> 00:00:51,670 and media relations, 19 00:00:51,670 --> 00:00:55,430 human resources, business continuity planning 20 00:00:55,430 --> 00:00:58,683 and physical security and facilities management. 21 00:00:59,750 --> 00:01:01,563 Let's dig into these a bit more. 22 00:01:02,710 --> 00:01:06,260 Management establishes incident response, policy, 23 00:01:06,260 --> 00:01:08,060 budget, and staffing. 24 00:01:08,060 --> 00:01:11,900 Ultimately management is held responsible for 25 00:01:11,900 --> 00:01:15,960 coordinating incident response among various stakeholders 26 00:01:15,960 --> 00:01:20,520 minimizing damage and reporting to Congress, OMB 27 00:01:20,520 --> 00:01:24,433 the General Accounting Office GAO and other parties. 28 00:01:25,990 --> 00:01:28,770 Information security staff members may be needed 29 00:01:28,770 --> 00:01:32,300 during certain stages of incident handling prevention, 30 00:01:32,300 --> 00:01:35,440 containment, eradication, and recovery. 31 00:01:35,440 --> 00:01:38,840 For example, to alter network security controls such as, 32 00:01:38,840 --> 00:01:40,353 firewall rule sets. 33 00:01:42,340 --> 00:01:44,230 IT technical experts 34 00:01:44,230 --> 00:01:47,190 or system and network administrators 35 00:01:47,190 --> 00:01:49,890 not only have the needed skills to assist 36 00:01:49,890 --> 00:01:52,190 but also usually have the best understanding 37 00:01:52,190 --> 00:01:55,623 of the technology they manage on a daily basis. 38 00:01:58,350 --> 00:02:02,960 Legal experts should review incident response plans 39 00:02:02,960 --> 00:02:07,540 policies, and procedures to ensure their compliance with law 40 00:02:07,540 --> 00:02:12,360 and federal guidance, including the right to privacy. 41 00:02:12,360 --> 00:02:15,450 In addition, the guidance of the general counsel 42 00:02:15,450 --> 00:02:18,300 or legal department should be sought. 43 00:02:18,300 --> 00:02:21,810 If there's reason to believe that an incident 44 00:02:21,810 --> 00:02:25,530 may have legal ramifications, including evidence collection 45 00:02:25,530 --> 00:02:29,630 prosecution of a suspect or a lawsuit, 46 00:02:29,630 --> 00:02:34,630 or if there may be need for a memorandum of understanding 47 00:02:36,670 --> 00:02:41,460 or other binding agreements involving liability limitations 48 00:02:41,460 --> 00:02:43,203 for information sharing. 49 00:02:46,170 --> 00:02:48,770 Public relations and media relations, 50 00:02:48,770 --> 00:02:51,840 depending on the nature of impact 51 00:02:51,840 --> 00:02:54,070 of an incident, a need may exist 52 00:02:54,070 --> 00:02:57,573 to inform the media and by extension the public. 53 00:02:59,440 --> 00:03:01,500 Human resources, 54 00:03:01,500 --> 00:03:04,790 if an employee is suspected of causing an incident 55 00:03:04,790 --> 00:03:07,610 the human resource department may be involved. 56 00:03:07,610 --> 00:03:11,503 For example, in assisting with disciplinary proceedings. 57 00:03:13,220 --> 00:03:14,943 Business continuity planning, 58 00:03:16,000 --> 00:03:19,440 organizations should ensure that incident, response, 59 00:03:19,440 --> 00:03:21,180 policies and procedures 60 00:03:21,180 --> 00:03:24,353 and business continuity processes are in sync. 61 00:03:25,220 --> 00:03:28,970 Computer security incidents undermine the business 62 00:03:28,970 --> 00:03:30,983 resilience of an organization. 63 00:03:31,970 --> 00:03:34,250 Business continuity planning professionals 64 00:03:34,250 --> 00:03:37,630 should be made aware of incidents and their impacts 65 00:03:37,630 --> 00:03:41,970 so that they can fine tune business impact assessments 66 00:03:41,970 --> 00:03:46,890 risk assessments, and continuity of operations plans further 67 00:03:46,890 --> 00:03:49,490 because business continuity planners have 68 00:03:49,490 --> 00:03:54,010 extensive expertise in minimizing operational disruption. 69 00:03:54,010 --> 00:03:57,750 During severe circumstances they may be valuable 70 00:03:57,750 --> 00:04:00,630 in planning responses to certain situations 71 00:04:00,630 --> 00:04:03,763 such as denial of service conditions. 72 00:04:04,840 --> 00:04:08,520 Lastly, physical security and facilities management 73 00:04:08,520 --> 00:04:10,580 some computer security incidents occur 74 00:04:10,580 --> 00:04:12,630 through breaches of physical security 75 00:04:12,630 --> 00:04:16,920 or involved coordinated logical and physical attacks. 76 00:04:16,920 --> 00:04:19,720 The incident response team also may need access 77 00:04:19,720 --> 00:04:23,520 to facilities during incident handling. 78 00:04:23,520 --> 00:04:26,390 For example, to acquire a compromised work station 79 00:04:26,390 --> 00:04:27,713 from a locked office.