Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

Key Roles and Responsibilities for your Incident Response Team (3/5)
You are here: Home \ Incident Response \ Key Roles and Responsibilities for your Incident Response Team (3/5)
Incident Response Planning - Hitachi Systems Security
Posted on Tuesday, March 27th, 2018 by

Incident Response Planning in a Nutshell: Roles and Responsibilities

 

“Great things in business are never done by one person. They’re done by a team of people.” – Steve Jobs

As part of our 5-part series about Incident Response Planning (IRP), this article dives deeper into the roles and responsibilities required to implement and respect an effective Incident Response Plan.

 

Find more detailed information about IRP in the articles below:

 

Incident Response Planning has proven to be most effective to help organizations respond to incidents when at least three distinct functions are in place:

  1. The Computer Security Incident Response Team (CSIRT)
  2. The Legal Expert
  3. The Public Relations/Communications Expert

 

To help your organization become more confident when facing a security incident, we’re explaining each of these three roles down below.

 

  1. The Computer Security Incident Response Team (CSIRT)

A Computer Security Incident Response Team (“CSIRT”) is defined as the group of individuals in charge of executing the technical aspect of an Incident Response Plan. CSIRT members are responsible for the detection, containment and eradication of cyber incidents as well as for the restauration of the affected IT systems.

 

To set up a CSIRT, organizations can opt for three different staffing models:

  • Employees – the organization conducts all incident response-related activities by itself, without any guidance or intervention from external parties.
  • Partially Outsourced – the organization outsources certain elements of its incident response-related activities to external parties.
  • Fully outsourced – the organization outsources all elements of its incident response-related activities to external parties.

 

According to the U.S. National Institute of Standards and Technology (NIST), “the most prevalent arrangement is for the organization to outsource 24-hours-a-day, 7-days-a-week (24/7) monitoring of intrusion detection sensors, firewalls, and other security devices to an offsite managed security services provider (MSSP). The MSSP identifies and analyzes suspicious activity and reports each detected incident to the organization’s incident response team”.

This recommended scenario related to a partially outsourced staffing model as described above. Fully outsourcing options often require on-site contractor.

A contextual analysis may drive organizations to opt for either a partially outsourced or a fully integrated response capability. In these scenario, a CSIRT must be set up.

 

What should I consider when setting up a CSIRT?

Regardless of what your organization decides to do, your choice should be motivated by a consideration of the following:

  • Implementing and maintaining IRPs may require specialized knowledge in several technical areas that may not be readily available internally
  • Your internal team may not possess the necessary knowledge of intrusion detection systems, vulnerability management and other cybersecurity techniques to properly respond to a security incident
  • MSSPs may have a more global view of the latest and most common security incidents from their customer base and may therefore correlate events better than an individual organization could
  • If you decide to hire an internal team of security experts as part of your CSIRT, make sure to keep retention strategies in mind to avoid high employee turnover – a common occurrence in today’s IT security talent shortage phenomenon
  • MSSPs have access to secure facilities and state-of-the-art IT infrastructure, such as Security Operations Centers (SOCs) in various countries
  • Generally speaking, MSSPs tend to be less costly than hiring in-house, full-time security resources because they are able to spread their costs of Information Security Analysts, hardware, software etc. across multiple customers across the globe

Disclaimer: When opting for a partially outsourced model, organizations must understand that outsourcing does not transfer their legal obligations to MSSPs. Organizations remain fully responsible, both legally and morally, to ensure that they meet legal requirements in terms of information security. This being said, MSSPs are liable for the quality of service that they provide according to the terms of the service level agreement (SLA).

 

What factors impact how I build my CSIRT?

CISRTs vary in terms of their service offering and organizational structure. The responsible department will usually examine a number of relevant factors before choosing a model.

The objective of the exercise is to identify the organization’s needs and the framework in which the prospective CSIRT will be inserted in order to develop a vision of its mission.

  • Types of incident activity that currently characterizes the organization’s threat landscape, as this will inform the types of skills that are required from the CSIRT’s members
  • Practices of other organizations in the same sector
  • Stakeholders’ expectations and needs, including opinions from business managers, IT staff, legal department, human resources, public relations, physical security, audit and risk management specialists, etc.
  • Enterprise’s organizational model and principal business functions
  • Risk assessments results, critical assets that must be protected and business-continuity plans
  • Existing policies, plans, directives and guidelines (especially those related to confidential data and physical security breaches)
  • Applicable legislations and/or recommendations

 

What are the functions of the CSIRT?

CSIRTs may exercise a wide range of functions that can be grouped under reactive, proactive and security quality management services:

Ideally, CSIRTs should aim to provide the usual baseline of services and eventually add other features that pertains to their mission. In other words, the primarily function of CSIRTs remains incident response.

Only once the team has acquired all necessary resources, training and experience to properly and effectively accomplish these tasks, management should consider adding additional responsibilities.

The extension of functions can be part of a development plan for the CSIRT. For instance, with proper funding and management support, the CSIRT can become a “key player in providing risk and business intelligence to the organization”.

 

Which roles should be assigned within the CSIRT?

NIST’s publication 800-64 proposes that CSIRTs should be composed of a manager, a technical lead and team members. The PCI DSS makes it mandatory to assign an individual or a team to various tasks, including establishing, documenting and distributing security incident response and escalading procedures when necessary.

Under this standard, the team must monitor and analyze security alerts and access to data.

 

CSIRT: Tasks and Skills Needed

Note that the PCI-DSS also requires an IRP that involves the documentation of roles and responsibilities.

RoleTasksSkills
Manager·   Overall coordination of the IRP·   Resilience to stressful situation
·   Communicates with management·   Knowledge of the IT system and business processes
·   Secures the proper personnel, resources and skills for the adequate application of the IRP (whether outsourced or not)·   Knowledge of management personnel
·   Tests and updates the IRP periodically·   Excellent communication skills
·   Documents and records decisions, actions, procedures, inputs or outputs resulting or pertaining to IRP·   Excellent organization skills
·   If services are outsourced, oversees and evaluates such work·   Decision-making skills
Technical Lead·   Responsible for the team’s technical work·   Excellent knowledge of cyber threats and incident response procedures
·   Reports to the Manager·   Excellent knowledge of internal IT structure
·   Good communication skills
Team Members·   Performs incident response as planned·   Excellent technical skills pertaining to system administration, network administration, programming, technical support or intrusion detection
·   Often assumes responsibility for intrusion detection·   Best practice is to have at least one member highly proficient in each major area of technology
·   Issues recommendations regarding new vulnerabilities and threats·   Best practice is to have members specialized in technical areas (network intrusion detection, malware analysis or forensics)
·   Contributes to education and awareness within the organization·   Problem-solving and critical thinking abilities
·   Participates in incident response sharing efforts

The Computer Emergency Readiness Team [CERT] recommends the following roles amongst the CSIRT members:

  • Manager or Team Lead
  • Assistant Managers or Group Leaders
  • Help Desk or Triage Staff
  • Incident Handlers
  • Vulnerability Handlers
  • Artifact Analysis Staff
  • Platform Specialists
  • Trainers
  • Technology Watch

 

In reality, CSIRTs are rarely staffed enough to cover all of these roles and personnel is expected to be versatile.

The table above describes the usual tasks and skills of team members.

Note that some organizations are required by law to have a privacy officer (an individual accountable for the respect of the privacy legislation in the constituent), especially in the health sector (see Ontario’s Personal Health Information Protection Act).

Harmonization between the privacy policies and practices with those of data security is critical. Organizations should consider integrating their privacy officer into information security planning and attributing him responsibilities during IRP.

 

Anything else to consider when creating a CSIRT?

  • Deciding on the CSIRT’s authority
  • Deciding on the CSIRT’s location
  • Deciding on the equipment and network infrastructure needed to support its daily functions
  • Deciding on funding and sustainability
  • Deciding on hours of operation and determining whether there is a requirement for a 24/7 monitoring and corresponding funding (Note that PCI-DSS requires that specific personnel be available to monitor and respond to alerts on a 24/7 basis)

 

  1. The Legal Expert

Legal ExpertIn the process of attributing roles and responsibilities, the need for judicial expertise should not be overlooked. Legal experts endorse many critical roles throughout the phases of IRP, but particularly in the phase of drafting policies, plans and procedures.

CMU-SEI’s Handbook for CSIRTs rightly emphasizes the need for individuals who are experienced in cybersecurity as such to understand technical terminology and particular issues relating to CSIRT’s daily activities. They also recommend a year-long capability of engagement due to the amount of domain specific knowledge needed and the difficulty of finding such legal expertise on the market.

The role of the legal expert can be summarized as providing quality assurance about every topic – from the mission statement to the actual incident handling.

Regarding policies and plans, lawyers inform the decision-makers about legal requirements, preferred practices and any conflicts with other jurisdictional legislations in which the organization does business. Their contract drafting experience help to adjust the scope of these documents with proper definitions.

In the same line of thought, they conduct contract analysis with outsourced services and draft all the needed material pertaining to the CSIRT’s operations (e.g. non-disclosure agreements).

Overall, legal experts are concerned with being able of demonstrating due care at all times by warranting the adequacy of rules regarding the handling of confidential information, evidence and documentation. In doing so, they proactively defend the organization against liabilities.

 

Legal Expert: Tasks and Skills Needed

See the table below for a detailed description of the tasks of a legal expert.

TasksSkills
Prior to an incidentKnowledge of cyber security legal frameworks;
Reviews the IRP for compliance with legislation;Experience in agreement drafting;
Writes a template for a data breach notification;Experience in dealing with law enforcement;
Advises the PR expert on the redaction of template for media statement keeping in mind the protection of confidential information and the best interests of the company.Problem-solving orientation;
Drafts templates of information sharing agreements;·         Well-prepared and well-organized to react promptly in a rapidly evolving situation.
Secures employees’ consent for network monitoring by drafting an effective Agreement;
During the incident
If necessary, completes the template for data breach notification with the PR expert and ensure that it is released in due time and to the right individuals and/or organizations;
If necessary, assists with evidence collection;
Ensures that the events are properly documented keeping in mind possible lawsuits;
May act as point of contact with law enforcements;

 

  1. The Public Relations/Communications Expert

Each organization should have a predetermined point of contact with the media, usually a public relations (PR) expert who is trained on developing precise and impactful press releases.

In case of a data breach of public interest, this person will be updating the media about the work of the CSIRT and any remedial action taken. In this regard, the PR expert should have received training on information disclosure and is well aware of the organization’s policies.

In the event of a data breach, communication is key. The PR expert should have communication templates ready to address different scenarios, such as data breach notification. His role is to balance the need to protect the company’s business interests (e.g. its reputation) with the need to inform the public. Pre-written templates provide sufficient time to reflect on the appropriate wording. This should be done before a crisis occurs, as there will be little time to reflect during ‘war time’.

In the same line of thought, pre-written statements should be analyzed by legal experts who will consider all ramifications such as balancing mandatory notification, non-disclosure agreements, the protection of personal information and the company’s best interest.

 

PR Expert: Tasks and Skills Needed

Here’s what the PR expert is supposed to do as well as the skills he or she should have for this crucial role:

TasksSkills
Helps to establish a communication policy with legal affairs and management;Awareness of the organization’s policies;
Manages communication with the public, if any;Understanding of legal obligations, especially regarding the disclosure of personal information;
Manages communication with the media, if any;Understanding of CSIRT’s work;
Manages communication with employees;Excellent communication skills.
Acts as a single point of contact for any communication with anyone other than management and law enforcement;
Sends the data breach notifications to the proper individuals and/or organizations upon consulting with the legal expert.

 

In a Nutshell

 

We can all agree that security incidents against organizations are here to stay. And sooner than later, we’ll all need to live up to the fact that careful incident planning and preparation is one of the best strategies to respond to security incidents.

 

For Incident Response Plans to be effective, organizations need to be proactive and create at least three crucial roles to help navigate the stormy waters of a security incidents.

  1. A Computer Security Incident Response Team will possess the necessary technical knowledge and expertise to mitigate the damage of the incident, conduct repairs, perform regular audits, patch vulnerabilities and handle incidents when they occur.
  2. A legal expert will help organizations draft the required policies, advise the management team on necessary legal action and perform quality assurance duties to ensure that an organization’s legal standing is well protected even in the case of a security incident.
  3. A PR expert will help the organization communicate properly about the security incident to the public and other relevant channels to demonstrate confidence even in moments of crisis, facilitate open and adequate communications and protect the organization’s reputation.

 

Now that we’ve learned about the roles and responsibilities for effective Incident Response Planning, how does IRP look like in different jurisdictions across the world?

Stay tuned for part 4 of our 5-part blog series about Incident Response Planning in next week’s article.

 


To learn more about how to better protect your organization and respond to cyberattacks with incident response planning, check out our free on-demand webinar about “The Keys to Improving Response to a Cyber Security Incident”.

How Cyber Resilience is Changing Cyber Security

Vanessa Henri
About author:
Vanessa Henri holds a Master’s of Law degree from McGill University in Montreal, Canada, and specializes in data security and privacy. Throughout her academic path, she has worked on topics such as cyber-espionage, and her studies on the Dark Web were funded by the Quebec Bar associations, prior to publication in the Canadian Journal for Law and Technologies. She has published a variety of other data privacy-related materials, and has contributed as a speaker to various conferences about data protection law and liabilities. As part of her current role as Director of Legal Affairs and Compliance at Hitachi Systems Security, Vanessa also specializes in the creation of privacy compliance programs for our clients.

Stay up to date! Subscribe to our Blog

Topics

Recent Videos

What is Penetration Testing?

What is a Vulnerability Assessment?

What is a Control Assessment?

More