Whip Your Incident Response

Program into Shape1

Agenda

• Introductions

• Understand requirements behind an incident response program (IRP).

• Identify the different components of an effective IRP.

• Learn how to prepare for your testing exercise.

• Learn how to develop meaningful testing scenarios.

• Understand how to conduct and document the testing.

• Questions

2

INTRODUCTIONS

3

Today’s SpeakersNadia Fahim-Koster, Director, Meditology Services

• 14+ years experience in healthcare IT security and privacy

leadership

• Previously CISO and Chief Privacy Officer for several

large health systems

• Certified CISSP, HCISPP, and HITRUST CCSFP

• Advises healthcare clients coast to coast on privacy and

security

Kim RoSser, R.N., Senior Associate, Meditology Services

• Certified HITRUST CSF Practitioner

• Extensive Risk Assessment experience working with

HITRUST, HIPAA, FISMA, and NIST

• Registered Nurse with 20+ years of clinical experience

4Meditology is dedicated to delivering expertise and leadership in information privacy and security, compliance, and audit, specifically for healthcare

REGULATORY REQUIREMENTS

5

Requirements

• The Health Insurance Portability and Accountability Act

(HIPAA) Security Rule requires covered entities to

“identify and respond to suspected or known security

incidents, as well as mitigate to the extent practicable,

harmful effects of security incidents that are known to the

covered entity, and document security incidents and their

outcomes.”

6

Source: Department of Health & Human Services: HIPAA Security Series: Requirement 164.308(a)(6)(i) – Response and Reporting.

COMPONENTS OF AN EFFECTIVE

INCIDENT RESPONSE PROGRAM

(IRP) 7

Policy

The National Institute of Standards and Technology (NIST)

recommends that the following elements be included in the

IRP policy:

• Statement of management commitment

• Purpose and objectives of the policy

• Scope of the policy

• Definition of security incidents and related terms

• Roles, responsibilities, and levels of authority

• Severity ratings of incidents

• Performance indicators

• Reporting and contact forms8

NIST Special Publication 800-61, Revision 2 – Computer Security Incident Handling Guide

Plan

The plan should be tailored to the size, structure, and mission of your organization. NIST recommends that the following elements be part of your IRP plan:

• Senior management sponsorship and approval

• Goals and objectives for incident response

• Organizational structure of the various team members, their resource requirements, and their roles

• Communication process for internal and external entities

• Outline of the incident response methods for each classified incident from the policy

• Metrics for evaluating the effectiveness of the team and process

• Processes for annual review and evaluation 9

Organizational Structure

10

Command• Define the Incident goals and operational period

objectives

• Includes an Incident Commander, Safety Officer, Public Information Officer, Senior Liaison, and Senior Advisors

Planning

• Coordinates support activities for incident planning, contingency, long-range and demobilization planning

• Supports Command and Operations in processing incident information

• Coordinates information activities across the response system

Logistics

• Supports Command and Operations in their use of personnel, supplies, and equipment

• Perform technical activities required to maintain the function of operational facilities and processes

Admin/Finance

• Supports Command and Operations with administrative issues as well as tracking and processing incident expenses

• Include such issues as licensure requirements, regulatory compliance, and financial accounting

Operations

• Establishes strategy (approach methodology, etc.) and specific tactics (actions) to accomplish the goals and objectives set by command

• Coordinates and executes strategy and tactics to achieve response objectives

Statement of Management

CommitmentManagement commitment and responsibilities include:

o Program management

o Program review and updates

o Development of a review panel or task force if hazards

are identified, or for deployment after an event to

assist in its review

o Assisting with training

o Enforcing disciplinary actions as needed

o Interaction and assistance with regulatory and

response agencies

11

Purpose and Objectives

Purpose and objectives of the policy

• To ensure that information security events, and

weaknesses associated with information systems, are

handled in a timely manner and allow corrective action to

be taken.

• Governs the actions required for reporting and

responding to security incidents involving client

information assets.

• Ensures effective and consistent handling of such events

to limit any potential impact to the confidentiality,

availability and integrity of client information assets.

12

Scope

Scope of the policy:

• Applies to all workforce members, users, and all

personnel affiliated with third parties who access or use

client information assets, regardless of physical location.

• Also applies to:

o Information technology administered in individual

departments

o Technology administered centrally

o Personally-owned computing devices connected by

wire or wireless to the client network

o Off-site computing devices that connect remotely to

client network 13

Definition of Security Incidents

• Security Incident: a violation, or imminent threat of a violation, of IT or Information Security policies, procedures, acceptable use policies, or standard security practices.

• Security Incident Response Team (SIRT): a group of individuals set up for the purpose of assisting in responding to security-related incidents.

• Unauthorized Access/theft: unauthorized access encompasses a range of incidents from improperly logging into a user's account (e.g., when a hacker logs in to a legitimate user's account) or unauthorized usage of logon credentials to obtaining unauthorized access to files and directories possibly by obtaining "super-user" privileges.

• Virus: self-replicating, malicious program segment that attaches itself to an application program or other executable system component and leaves no external signs of its presence. 14

Roles and Responsibilities

Roles, responsibilities, and levels of authority

15

Role Function

Primary Incident

Handler

The assigned “owner” to a security incident after the initial notification

Ensures coordination, documentation, and communication with the SIRT and any other departments or

organizations directly involved in the security incident

Responsible for the quality of the incident handling procedures for the assigned event

Incident

Coordinator

Designates incident roles and responsibilities per incident

Manages team members assigned to specific tasks during an incident

The communication point between SIRT groups, members and the Primary Incident Handler

Makes sure that the team is focused on their goal and reports any findings up the chain of command

Prepares a written summary of the incident and corrective action taken

Documents all details of an incident and facilitates communication

Onsite Incident

Handler

Lead handler during offsite incidents and will be responsible for gathering evidence and making sure

proper procedures are followed as defined by the Primary Incident Handler.

Incident Sponsor

(Executive

Leadership)

The SIRT should have a member of the management team as its sponsor.

Users/ Employees Report suspected or known security incidents through the IT Service Desk

Cooperates with investigative personnel during investigation if needed

Severity Ratings

Severity ratings of incidents

16

Severity

LevelDescription Examples

Critical/

High

Incidents that are extensive, widespread and

where the impact is severe.

Malicious code

Unauthorized access

DOS affecting critical services

Data breach

Outages

Attack against infrastructure

Medium

Incidents where the impact is significant.

Attempts to gain unauthorized access

Open mail relay

Low Incidents where the impact is minimal (minor,

localized incidents).

Unauthorized network probes or

system scans

Isolated virus infections

Performance Indicators

List of possible metrics is provided below:

• Total number of incidents (as a control measure)

• Breakdown of incidents by stage (logged, work in progress,

closed, etc.)

• Size of current incident backlog

• Number and percentage of major incidents (as well as other

impact, urgency and priority)

• Mean elapsed time to achieve incident resolution or

circumvention, broken down by impact code

Though a lengthy list, it is not exhaustive..

17

Reporting and Contact Forms

Reporting and contact forms

18

Sample contact form

Incident Report covers the following key areas:• Incident Identification

Information• Incident Summary• Incident Notification• Incident Workflow• Action Summary• Post-Incident Analysis• Artifacts

Procedures

The most common procedures include the following elements:

• Communication—both internal and external to your

organization

• Escalation notification

• Incident tracking forms

• Incident reporting and documentation

• Investigation checklists by technology platform

• Remediation checklists by risk and threat classification

• Security information event management (SIEM)

• Evidence collection and handling “chain of custody”

• Forensics investigation and documentation

• Data retention and destruction

• Non-disclosure agreements19

PREPARE FOR YOUR TESTING EXERCISE

20

Testing Preparation

A good IRP test requires adequate preparation:

• Review every component of your IRP including your IRP

Policy

• Assess your procedure documentation for potential

improvements and/or changes

• Identify the different teams listed within the IRP to know

who the participants of the exercise will be

• Determine whether you will involve every member of

every team, or just a representative

21

Testing Preparation

• Every role should have 2 tiers (primary and secondary)

• Roles to include:

o Internal communications

o External communications

o Human Resources

o Legal

o Executive Leadership

o Marketing

22

DEVELOP MEANINGFUL TESTING SCENARIOS

23

Meaningful Scenarios

Create the scenarios that will be used during the exercise:

• Align the scenarios with the incident criticality levels as

identified in the IRP plan

• Create scenarios that align with real-life incidents in the

industry

• Scenarios should test for the effectiveness of

your organization’s HIPAA Breach

Notification plan

24

Low Incident

Jessica in HR has been busy interviewing candidates for

positions within Client. She mistakenly emailed one of the

candidates a document containing employee demographic

information.

25

She immediately notifies her manager.

What next steps should be taken?

Medium Incident

Several employees have reported the following email:

From: Smith, John [john.smith@Clientinc.com]

Sent: Friday, July 15, 2014 3:15PM

Subject: System Administrator

UPDATE YOUR MAIL BOX QUOTA

Your mailbox has almost exceeded its storage limit.

It will not be able to send or receive emails if exceeded it limit and your email account will be deleted from our servers. To avoid this problem you need to update your mailbox quota. By clicking on the link below and filling your login information for the update.

http://owa-team1.webs.com/

If we do not receive a reply from you, your mailbox will be suspended.

Thank you for your cooperation 26

Critical Incident: Hacktivist Threat

& Attack• Receptionist receives a threatening phone call from Pro

Life Radicals objecting to <CLIENT>’s support of birth control and contraceptives.

• Pro Life Radicals state, “ YOU HAVE 7 DAYS TO PUBLICLY MAKE A STATEMENT PLEDGING <CLIENT> WILL NO LONGER PROVIDE ANY CARE THAT DOES NOT ALIGN WITH PRO LIFE IDEALS. <CLIENT> IS NOT TO PROVIDE BIRTH CONTROL, CONTRACEPTIVES, NOR ANY PREGNANCY ENDING PROCEDURES. FAILURE TO COMPLY WILL RESULT IN THE MARRING OF THE <CLIENT> BRAND AND REPUTION, ALONG WITH THE LOSS OF THE CONFIDENTIALITY PROMISED TO YOUR PATIENTS. THIS MESSAGE WILL BE DELIVERED DAILY UNTIL COUNTDOWN EXPIRES.”

27

CONDUCT AND DOCUMENT THE TESTING

28

Conducting the

tabletop exercise• Designate a facilitator

(akin to a Dungeon and Dragon game master)

• Facilitator should outline his/her role and responsibilities

o help participants step through the exercise in an organized manner

o ensure the active participation of all team members

o raise difficult questions

o make certain that the IRP is being followed

o verify that any identified issues are documented

• Ask members to introduce themselves and the areas they represent

Have several copies of your organization’s IRP on hand! 29

Conducting the tabletop

exercise…• Describe to the team what your organization intends to

accomplish by conducting an IRP tabletop exercise

• Explain what an example scenario looks like and how

you will walk the participants through the incident

• Describe the role of the scribe(s)

• Choose to begin with either a low-level incident or a

critical-level incident

• Read the scenario to the team and give them a few

minutes to digest the information before proceeding

30

Conducting the tabletop

exercise…• Get the team started by asking them some questions

such as:

o How would you handle this incident?

o Who should the charge nurse notify?

o Who would be notified next?

• Be sure teams adhere to the IRP documents

• During the second scenario, introduce unexpected

variables to throw the team off guard and see how they

handle new, unexpected information

31

Conducting the tabletop

exercise…HOTWASH:

• Summarize the events

• Run through the list of “to-dos’” identified by the team

during the exercise

• Perform a “lessons learned” session

Survey participants:

1. Did you get what you needed?

2. Did everyone in your group participate?

3. What did you learn?

4. What would you change? 32

Documenting the tabletop

exerciseWriting the report is probably the most difficult part of the

tabletop exercise.

• Ensure the scenarios are described and include all the

notes for each scenario, including candid conversations

• Include takeaways and a to-do list, as well as all

associated notes

• Keep the report handy for the next time you conduct a

tabletop exercise, because you will need it to verify that

any required updates were made

33

34

Nadia Fahim-KosterDirector, IT Risk Managementnadia.fahim-koster@meditologyservices.com

Questions

Kim RoSserSr. Associate, IT Risk Managementkim.rosser@meditologyservices.com