[MUSIC] When you're developing an incident response plan, the University of California put together a technical report that included some specific phases for your model of your incident response plan. First phase being preparation, then incident identification, followed by containment, eradication, recovery, lessons learned. Part of what we have to do is gap analysis. Where are we today? What are our capabilities today? And where do we want to be? What are the processes that need to be approved and the resources that we need in order to achieve that future state for incident response plan. We start by doing a business impact analysis. And we determine the loss to the organizational functions, if an impact should occur that would cause that business function to be not available. We establish escalation processes. We identify the minimum resources that are needed for recovery. And then, we prioritize which functions come up first [COUGH]. What goes into a BIA. The business mission, the functions, dependencies, the different operations, if it is cyclical, what those cycles are? We estimate impact for loss of that business function. We identify the resources, the activities that are needed to put that system back together if there are any potential workarounds. And what they're willing to accept in terms of downtime in other words, how much time do we have to recover that function [COUGH]? What's the benefit of doing BIA? We have an understanding of the amount of potential loss and the cost associated with that. We've raised the awareness of impact with the organization that will help us when we're putting together our plan, because our plan is going to help mitigate, limit that impact to the business function. Having escalation process in place is critical. You don't want to be sitting there spinning your wheels. If you come up against something that can't be done, let's kick it up to the next level of support. But how do we do that? What's the criteria for alerting senior management or the legal department or anything like that? That the system is going to be down longer than we anticipated. Help desk processes will help us identify security incidents. Something as simple as, you come in, in the morning and help desk is just overloaded with calls about inability to connect to the network, that potentially could be an incident and that needs to be looked at. We need to make sure that help desk is onboard and communicating with us. Your management team, your response team have a number of different subgroups if you would. We've got an emergency action group, we've got a damage assessment group. We've got a group that is involved with relocation, if we have to go to an alternate site. And you've got a security team group. Every team member has to be appropriately trained and equipped in order to respond to incidents. They need special tools, in some case with forensic, those tools are not inexpensive. Some of them are very expensive. From an incident notification process, how do we notify? How do we get notified? How do we notify senior management that there is a potential incident? That might be an alert coming from your sim system. That might be an alert coming from one of the devices that sends out an email or an instant message to a designated administrator. What are some of the things that cause us to stay awake at night? What are the challenges? Lack of management support is probably at the top of the list. For most things, this is no exception. There's a misconnect, it's not aligned with the business goals and objectives. The other thing that I've seen in my career is that once you train somebody, let's say in forensics, as soon as you train them, they're gone. They goes somewhere else, for more money, for more challenge, for different job. There's a general lack of communication, and you have an incident response plan that is unwieldy, it is just too big. What I'd like for you to do now? Take a moment and identify one concept that would help the helpdesk in determining, is this just a normal call, or is this a potential incident response call? And then, why would that concept be appropriate to train the help desk people in? [MUSIC]
