Cyber Security Incident Response Planning

Learning Without Scars is pleased to introduce our new guest writer, Danny Slusarchuk. His first post for our blog is on Cyber Security Incident Response Planning. Danny Slusarchuk enjoys spending time with his family and being a productive member of the community. He serves on the Oklahoma Venture Forum (immediate past Chairman) and Oklahoma Innovative Technology Alliance boards. He leads the Oklahoma National Guard Defensive Cyberspace Operations Element. Danny founded Standards IT in 2012 and continues to be a managing partner at the headquarters in downtown Edmond. He has been recognized as 20 Edmond Business Leaders under 40 and was a recent Edmond’s Young Professional of the Year award recipient. Danny spoke most recently at the FBI’s Information Warfare Summit and has for 4 years running. This year he spoke at SECCON as well. He was a guest speaker for the Youth Leadership Edmond conference, 45th Field Artillery Brigade Honorable Order of Saint Barbara Dining Out. He was the keynote for Oklahoma Officer Candidate School Class 63.

Cyber Security Incident Response Planning

Let’s understand the why.

Your business is shut down for the foreseeable future and you don’t have the slightest idea how you are going to get back to the way you were operating yesterday. Your customers, employees, and even competitors know you have been hacked.  Someone in another country is extorting you for ten Bitcoin to maybe restore your precious data on their good word. To top it all off, your customers have brought a class action lawsuit against your negligent handling of their data.

Do not let that scenario play out solely on the bad actors’ terms.  It is possible to do everything right and still get hacked.  A living incident response policy and procedure accompanied by routine tabletop exercises and vulnerability assessments can be the difference between surviving and shutting your business down.

The Sans institution provided great cyber security training.  The incident response considerations in this post draw from their Global Certified Incident Handler curriculum.

Your plan should have input from all departments that require systems and data to operate.  I recommend you nest it with your cyber liability insurance policy and have it legally approved.

Now, if you were to pull out as much of the lingo as possible and boil it down to bullets here is how I would state it:

• Identify the event (Intrusion Detection Software, Security Operations Center Notification, Individual Report, Litigation Notice) (each an “Event”)
• Execute initial alert roster of Event and establish event timeline using “Event” document for record
• Determine exposure (add additional resources if necessary and conclude as an IT Governance Council that the Event is contained and did not elevate to an “Incident”)
• If Breach, exfiltration of data, or other harm is suspected to be probable elevate the Event to an Incident
• Contact “Incident Response Legal Team” and “Cyber Forensics Team” (both appointed by the IT Governance Council)
• Use IT Governance Council, Legal Team, and Cyber Forensics Team as Incident Response Council and establish Cyber Forensics Team as Incident Response Manager of the Council
• Add additional technical resources, if needed, to manage the technical aspect of the Cyber Forensics effort and cyber defense
• Track all time, keep running estimates of time and hardware required to maintain operations during the Incident Response
• Add Crisis Public Relations Firm to the Council for internal and external talking points and press releases, if needed
• Use cyber forensic evidence in court or to settle lawsuit and to submit claims to the insurance carrier
• Notify customers and any injured parties, if necessary, pursuant to regulatory requirements
• File incident with the FBI Cyber Crimes Complaint center, if appropriate
• Complete “Incident Response” document(s) for record
• Add technical controls to Cyber Security Risk Mitigation Matrix
• Conduct an after-incident review with key personnel and distribute the IR for Record documentation

That was high level steps, and each has significance.  Overall, the concept is to prepare, identify, contain, eradicate, recover, and realized lessons learned.  The steps also include adding one-time resources like forensics and crisis public relations.

In future posts I will explore specific sections covered in greater detail that will help educate the reasoning behind the order and specific terminology.  Cyber liability insurance is only good if it pays out when you need it for example.  Yes, there are some gotchas in choosing your protection.

References: https://www.sans.org/cyber-security-courses/hacker-techniques-incident-handling/

Did you enjoy this blog? Read more great blog posts here.

For our course lists, please click here.

November 2, 2021

Process Mapping Blog

Guest writer Sara Hanks helps us with a key detail for continuous improvement in her "Process Mapping Blog" today.

Continuous improvement in an organization requires implementing projects. Projects also mean change, which is often met with resistance. In the early stages of a project, I recommend using process mapping to facilitate effective change management.

In one of my first IT projects, I was creating an inspection software for manufacturing quality. The project was significantly delayed, and the former project manager had left the company. To create something quickly, I deployed an off-the-shelf software. Completing the inspection plan turned out to be a giant pain and added significant cycle time. A year later, we ended up redesigning the entire inspection software after so many complaints from the users. It was not worth trading off an understanding the current state process for the speed of implementation. I should have known better, after many years of training and practicing lean at GE. 

When lean was a corporate initiative at GE, the business planned large transactional lean events to conduct process maps in a session that was sponsored by senior leadership. Attending these events was a privilege and a great way to network with senior leaders. These sessions, often led by a trained facilitator, were highly interactive with post it notes and giant sheets of paper. Over time, the initiatives shifted, and the leaders were no longer engaged at that level. However, I require my teams to conduct process maps 100% of the time.  

Process mapping is a necessary step towards implementing change as it helps to understand the current state. A process map is a detailed diagram that articulates each step of a process. While these can be created by interviewing people, they are best conducted in a conference room environment, with representation from each function involved in the process. With enough prework, the session can be completed in 4-8 hours, depending on the complexity of the process. 

Prework to the Process Mapping Session 

Create a RASCI chart. A RASCI chart identifies the process steps, as well as the roles or people who need to participate in each step. RASCI stands for: 

• Responsible – the person who completes the step
• Approver – the person who needs to approve the work conducted by the responsible person 
• Supporter – roles that provide inputs to the process step
• Consultant – an expert who provides expertise 
• Informed – the people who need to know about a process step being completed 

It’s important to note that every step needs a responsible person or role, but the other categories are not required*.  At minimum, one person from each function that owns a step should participate in the session. 

The output of the prework is to schedule time with the team, as well as a report out session with the relevant leaders.

Conducting the Process Mapping Session

1. Review the RASCI chart with the team. It is important to obtain consensus that the process steps are complete, as well as who is involved in them.
2. For each step in the process, the team will identify the following details:
   1. Inputs to the process step, as well as who provides the inputs. Sometimes the inputs are not part of the process itself but are used to make a decision or to harmonize information. For example, a purchasing specialist may refer to quality data before choosing who to buy parts from.
   2. The details about what happens during the process step. If the process is a decision, what criteria is used to make the decision should be included. 
   3. The time it takes to complete the step, as well as how long people are waiting for information.
   4. The system of record for the process step – whether it is an email, an IT software system, or even paper records.
   5. The outputs of the process step
3. Review the process map one final time and ensure that the times noted are reasonable.
4. Evaluate the process for waste. Waste identification should be brainstormed silently first, then shared with the group. Waste in a process could include:
   1. Rework of a process step, or returning to an earlier step in the process
   2. Waiting for inputs
   3. Excess processing such as creating reports that are not used
   4. Manual efforts that could be automated

Once the waste is identified, the team will see themes of similar waste. These can be grouped into categories and should be quantified in terms of time or cost. 

At this point the team and the project manager has a thorough understanding of the process, as well as the opportunities to drive improvement through waste elimination that can be considered in the project plan. Some process mapping events use the team to design a future process collectively, but that’s a blog for another day. 

Report Out

When people are asked to take time out of their day to support process mapping, a report out is helpful to justify the time with their managers. In addition to the management team and the participants, any people who are approvers in the RASCI should review the outcome of the process mapping session. The report out can be summarized as a Value Stream Map, which is a high-level representation of the process and includes the cycle times. It is helpful to include the waste impact in the Value Stream Map as well. 

Conclusion

Process mapping helps project managers understand the current state thoroughly which helps prevent issues when implementing the project. The biggest benefit of conducting the process mapping session is that it engages the stakeholders and subject matter experts. Process mapping exposes frustrations about the current state, so the subject matter experts are more likely to understand why a project is happening. Additionally, it highlights what works about the current state, so the project manager can consider keeping these best practices. When the stakeholders are understood, they are more likely to accept or even embrace the change.

NOTE: Some sources say that the A means accountable, but I prefer approver because if a person is responsible for completing a step, by default the person is accountable.

Did you enjoy this blog? Read more great blog posts here.

For our course lists, please click here.

August 9, 2022