Explain who (in what roles) within the organization would participate inleadership and membership positions for this team.
Leadership and membership positions in a business require the participation of all responsible parties. Organizations are constantly developing measures to deal with arising issues to avoid losses. Teamwork is the most important aspect in safeguarding the vulnerability of corporate internet business. In Mega-Corp, the management is the most important team as it is responsible for establishing incident response policies and organizing the budget and members of staff.
The information security team identifies analyses and helps to contain incidences. There are incidents such as illegal admission to telephone lines that require the expertise of the telecommunications team. When the information system is attacked, it is the responsibility of the IT support team to disconnect it from the network.
The legal department ensures all plans and policies comply with the laws and federal guidance. This department handles all lawsuits, collects evidence and is involved in suspect-prosecution incidents.
Members of Public Affairs and Media Relations department are responsible for informing the media and sometimes the public in case of incidents that require public knowledge. Disciplining employees who are found guilty of causing incidents is handled the human resources department. The business continuity planning professionals are made aware of the incidents in the company and their role is to develop measure in risk assessment and planning responses in certain types of incidents. The incident response team works closely with the physical security and facilities management during incident handling and solving.
Describe how this team will interface with the forensics partner
Forensic partners are there to make sure that the forensic specialists have all that they need to carry out their work. They are particularly common in this type business. Computer technology Investment network who work hand in hand with other departments in Mega-Corp. These partnerships are there to foster smooth investigations in the laboratory. These partnerships have also opened opportunities for students to get internships in these firms. They thus act as a link between the two. The forensic partners also help in getting a means in which current employees are trained so that they can keep abreast with what is trending in the industry.
There is a hierarchy in the business structure, which helps to increase how rapidly the response is to forensic investigation. This is all made possible by the presence of a strong communication network within the company. From top management to lower level employees in Mega-Corp the line of authority is clearly defined and flows seamlessly from one person to another. There is also the inclusion of cyber lawyers that deal with any ambiguity as compared to other law firms. As forensic specialists cannot know everything, the DLA law firm helps them understand computer investigations that are within the confines of the law. These partners are licensed to practice anywhere in the United States. In the event that a case goes to court, they advise the forensic firm parties as appropriately. They also provide them with legal counsel during the trial (Kruse & Heiser, 2001).
Explain how the organization will establish relationships with local law enforcement and regulatory agencies prior to an incident
Mega-Corp has collaborated with other law enforcement agencies so that it can get work for it to do. Organizations such as High Technology Crime Investigation Association (HTCIA), International Legal Technology Association (ILTA) and InfraGard all give the firm an opportunity to interact and network at local and international levels. In addition to that, they have ties with government departments such as Department Homeland Security. These firms have created applications and programs that make sharing of information easy and fast. These programs include US Computer Emergency Readiness Team (US-Cert) and the Protected Critical Infrastructure Information (PCII) Program that share information with the private sector, including security vendors, academia, and other federal agencies. Through these products, we can report on any potential threats that they feel the country might face (Department of Homeland Security, 2012).
Businesses, law enforcement agencies, academic institutions and other law-abiding citizens felt that they needed an institution, which would address security threats. InfraGard was thus born. This organization addresses any potential threats and the institutions could report any of the threats to it. Mega-Corp’s offices should develop a link between the law enforcement agencies and itself. This will ensure that the lines of communication are clear and that whenever there is an issue it can be easily sorted out. This clear line of communication is a boost when it comes to sorting out any issues. The response time is reduced at a high rate, as there is a great working relationship between Mega-Corp and the institutions. Thus, it is mandatory that both teams be educated on the importance of maintaining a good working relationship. This relationship will remain the same as new generations are brought in to work in the institutions and Mega-Corp.
Provide support for your selection of team members and leaders
For communication to be fostered in a better way, there needs to be a liaison between the Corporate Incidence Response Team and management at Mega-Corp. The Human Resource Director will act as their go between, it is their responsibility to make sure that the policies and procedures are revised often. This will give adequate support to future investigations. The Human resource department will be tasked with providing any assistance that will be needed in the course of any investigation that needs to be carried out. It is also essential that HR be given the necessary backing to help them carry out their job. Therefore, it is important that a partnership is created so that HR has an easier time when creating, educating and implementing these policies in conjunction with the employees of the firm.
Departments such as Information Security board of Review (ISBR) are tasked with role of giving oversight and direction with anything that pertains to Information systems security and making sure there is privacy in conjunction with Chief Information Officer (CIO) and Information Systems Security Officer. The Information Systems Security Officer is appointed by the CIO and ISBR and is tasked with the job of ensuring that the Office of Information of Mega-Corp and ISSO have the appropriate Network Security Manager (NSM). In turn, the NSM is responsible for ensuring that the Network Security Officer (NSO) and Information Security Officer (ISO) are appointed at each work station and that they are doing their work without any hiccups. Both ISSO and NSM should have vast experience in cases involving OS. Therefore, when picking the individuals to head these posts considerable care should be taken so that the best candidate is chosen. The individual needs to be an expert in background network monitoring, detection, and intrusion.
How the execution of the operating system controls and digital protection architecture of the networks via the NSM and review Mega-Corp information security is done by the ISSO. This ensures that information is protected from any unauthorized access. This is made possible as the NSO and ISO will work hand in hand to supervise compliance, procedures, policies and ensuring security integrity of Mega-Corp systems. These departments will work together with the SIRT and HR Department to revise, expand, and implement corporate policies pertaining to security, technology and acceptable usage.
There are certain activities that could be characterized as violations of a security policy. They are as follows:
Notifications from an intrusion detection tool Suspicious entries in the system or network logs Log discrepancies, such as gaps in the logs or missing log files Unsuccessful log-on attempts Unauthorized new user accounts, or unauthorized root or admin access Strange new files or unfamiliar file names Modifications to system executable file lengths and/or date and time stamps Unrecognized behavior of writing to system files, or changes in system files Unexplained modification or deletion of data Inability of one or more users to login to an account (Denial of service) Sudden unexplained system crashes Noticeable reductions in system performance Unauthorized attempts to capture or analyze network traffic Any threats that are detected in the server Taking note of any anomalies that may take place in the organizations
Proper care and diligence needs to be taken when any of these incidences take place in a firm. There should be immediate investigations to know what the cause was from members of SIRT. In addition to that, the departments from Mega-Corp together with DLA Piper should lend a hand in the Subject Matter Expert (SME). The SME is able to bring about difficult technical information by employing the use of terms and concepts that the final user can easily grasp no matter what level they belong to in an organization. This ensures that, in Mega-Corp, there will be content accuracy of corporate policies.
Include a communication strategy that will ensure members of this team have all of the information they need to be successful, if called upon to respond to an incident
When there has been any security threat, detected employees should inform their NSO. It is therefore mandatory that they know the NSO. If the NSO cannot be reached then the NSM should be reached and if he or she is not available then the ISSO and if all else fails contact the office of the ISBR. The CIO can also be notified by the ISBR and all this should be done in a timely fashion so that the effects of the threat are minimized. If the CIO feels that, the breach was too serious then he or she should report to the CHFI for appropriate response options. If it is suspected that criminal activity is involved then proper legal counsel should be sought.
Incase of the following ever happens they should be given top priority:
Possible life-threatening activity Attacks on the Internet infrastructure Root name servers Domain name servers Major archive sites Network access points (NAPs) Widespread automated attacks against Internet sites Network/packet sniffers Router attacks Root compromises
The procedure of handling such incidences is through; Reports, Training scenarios and Documents that can be handed off to law enforcement, when necessary. It is the duty of employees never to disclose any information about incidents, which happen in an organization to anyone apart from those in the chain of reporting (MTU, 2011).
After reporting an incident to the right authorities, there has to be thorough investigations into the matter to come up with possible solutions. Timely reporting allows all members of the incident response team to play their roles effectively. Detection, reporting and analysis of an incident guarantee that the incident is contained. Containment includes decision making however, they depend on the type of incident. Incidents can be communicated through various ways including email, phone conversations and notice boards. Communication can also be done in person. Nevertheless, only those within the incident response team should have access to the information about potential and existing incidents.
Depending on the type of incident, the response team should develop appropriate measure to counteract further incidents within the organization. The information technology team should be trained on ways to maintain the operations of the system. Every member of the response team needs to be provided with the right resources to recognize report and analyze the incidents in the organization. After discovering what caused the incident, the response team should take effective measures to ensure that it does not happen again and come up with supplementary resources that would be needed to identify report, evaluate and mitigate future incidents.
Department of Homeland Security. (2012). Protected critical infrastructure information (PCII) program. Retrieved at http://www.dhs.gov/files/programs/editorial_0404.shtm
Guide for the Role and Responsibilities of an Information Security Officer within State Government, (2008). Retrieved at http://www.cio.ca.gov/ois/government/documents/pdf/iso_roles_respon_guide.pdf
International Legal Technology Association. (2012). ILTA membership benefits. Retrieved at http://www.iltanet.org
Job Description of an Information Systems Security Officer, (2012). Retrieved at http://education-portal.com/articles/Job_Description_of_an_Information_Systems_Security_Officer.html
Kruse, W.G., Heiser, J.G. (2001). Computer Forensics: Incident Response Essentials
MTU, (2011).Information Security Plan. Retrieved at http://www.security.mtu.edu/policies-procedures/ISP_Final.pdf
Nelson, B., Phillips, A., Enfinger, F., Steurt, C. (2008) Guide to computer forensics and investigations