This feature first appeared in the Summer 2018 issue of Certification Magazine. Click here to get your own print or digital copy.
The security of an organization’s data is of prime concern in this age of endless hacking. Hardly a day goes by without the media reporting the breach of some organization or government agency. With so much at stake, it is little wonder why organizations devote so much of their finances to the defense of their data.
In many cases, those finances are directed toward the acquisition of hardware and software as well as to provide training for employees. Unless there are guidelines, rules, and procedures for employees to abide by, however, breaches can and will occur. The question then facing organizations is a) what the rules are, and b) how they should be developed and organized to be most effective?
Creating a sound policy
A common approach for establishing rules in an organization is to develop a thorough policy, augmented by a “playbook” to act as a go-to guide should a breach occur. There is often confusion when speaking about policies and a playbook. To be clear, a cybersecurity policy is a document that spells out in broad terms how an organization will protect its assets.
Among the many guidelines the policy will address are:
- What assets need to be protected
- What measures will be taken to provide that protection
- Who is responsible for assigned activities within an organization
- How data will be maintained and manipulated
- The assignment of passwords and levels of access by employees
- What constitutes appropriate internet usage of employees
- The installation and maintenance of firewalls
- What data will be backed up and where it will be stored
- Compliance with government regulations
- Analysis of risk management
- Establishment of an incident response team and responsibilities
Believe it or not, that’s just a starting point. A sound policy will address a host of other areas and responsibilities within the organization, from rules addressing removable devices to ransomware.
While policies are generally broad in their scope, a playbook is more focused. Much as a playbook in sports details exactly what each player should do in a particular instance, a security playbook provides highly detailed step-by-step actions that must be taken to minimize the impact of a security breach.
Individual circumstances require adaptation
It should be understood that while an off-the-shelf product for establishing a security policy or playbook can act as a base for an organization, no two enterprises are the same. “One size fits all” policy and playbook documents can, and usually do, require substantial “tweaking” to work effectively.
Some organizations have a great deal of assets to protect, while others may have only a small set of “crown jewels” that require protection. Some organizations require a high degree of interaction with the internet, while others need little contact, which greatly limits vulnerability.
Since each organization operates differently, the security that each will need varies, but can be addressed with a blanket policy that acts as a “strategic” defense against those with malicious intent. As outlined above, the “policy” that is adopted will provide top-level guidelines and specifications, but does not delve into the nuts and bolts of front-line tactics and responses. That’s what the playbook is for.
Drawing up the playbook
Once an organization has adapted an overall security policy, it’s time to develop an in-depth playbook that lays out the specifics of how to deal with intrusions. The playbook can take several forms, but should include an outline of actions taken before, during, and after an incident or event.
It may seem pessimistic to explicitly state “before an event” measures, but given that an intrusion will probably occur, it is better to be prepared than not prepared.
Before an Incident: Before a security breach occurs, an organization needs to designate a team of individuals who will be directly responsible for any actions related to overall security and any potential intrusion. This incident response team should include, but not be limited to:
- Chief Information Security Officer (CISO) — This is a senior leader, who reports to the CIO or CEO, and who will be responsible for all cyberscurity activities.
- IT Coordinator — This is a senior leader who will coordinate the security actions of the IT staff.
- PR/Media Coordinator — This individual will handle all media questions and communications.
- Legal Specialist — This individual is designated to be aware of legal issues and will direct and coordinate any legal response.
Once this team has been established they will create a chain of command for individuals who report directly to them should an incident occur.
This team will oversee the planning for measures that can forestall a breach, such as firewalls backed with an intrusion detection system, and develop a detailed plan of action that will be followed should an intrusion occur. That planning will include a step-by-step guide of the key activities that are to be taken following an intrusion.
The incident response team will also see to the training of employees, as well as practice responding to simulated intrusions, always seeking to improve overall response and minimize damage. Much of the training can center around the most common intrusions.
Strategies should address how to deal with discovered malware, ransomware, and defacement of the organization’s website, as well as unauthorized access by employees and non-employees, phishing attacks, Distributed Denial of Service Attack (DDoS), or SQL injection.
Each of these issues should be addressed, and a step-by-step response planned and practiced. The goal is for every member of the team and their subordinates to know exactly how to respond should a security breach occur.
During an Incident: When an incident occurs, the playbook should immediately be put into action. Communication and speed are the keys to minimizing damage. At this juncture, all of the planning, training, and simulating should come into practice as the members of the incident response team pull out the playbook, flip to the appropriate play (or response) and begin the process to negate the intrusion and minimize damage.
Communication should flow in all directions within the team, to the appropriate employees and staff, and to the media and applicable government and law enforcement agencies. If responders work together, follow the playbook, and openly communicate, the intrusion can be successfully addressed and damage to the organization’s property and reputation can be minimized.
After an Incident: After the incident and as soon as remediation andcleanup has occurred, the team should studiously investigate what went right and what went wrong. The response, as dictated by the playbook, should be carefully evaluated via an AAR, or After Action Review. Anything discovered from the investigation should be noted as lessons learned in the playbook.
Items covered should include communication issues, the suspected cause of the breach, actions taken to address the breach, effectiveness and speed of those actions, the extent of damage caused by the breach, possible means by which that damage could have been minimized, effects on stakeholders, legal ramifications, and organizational compliance with governing rules and regulations.
Once these areas have been investigated, then a determination can be made as to where improvements and investments can be made to forestall future attacks.
The security of digital assets will continue to be of prime concern for organizations and government agencies. The pace of cyberattacks by those with malicious intent has escalated in recent years and grown in sophistication over time. Businesses with sensitive data are going to be prime targets and need to protect their assets and reputation accordingly.
Developing a sound cybersecurity policy and playbook is vital to the success of that defense. Each organization is unique in how it operates, but all can benefit from increased cybersecurity awareness. Any organization that has an overall policy to dictate strategy and guidelines for all information security activities, as well as a detailed tactical-level playbook to guide incident response, is on sound footing.
Hackers and other digital malefactors will continue their assaults, and every organization needs to be prepared to protect its assets, its stakeholders, and its reputation.