CASE: Create A Cybersecurity Incident Response Team (CIRST)
Cybersecurity events can happen at any time. Notable historic security events show the shortening cycle of threats: the Melissa virus, which took several days to spread; the “Love Letter” worm, which became rampant in just a day; and the Nimda worm, which wreaked havoc in just hours. These incidents show that little time is needed to infect systems around the world, and a company must therefore have the capability to respond quickly to prevent major losses and interruptions in service.
“Every minute, we are seeing about half a million attack attempts that are happening in cyber space.”
-Derek Manky, Fortinet global security strategist
For regulated businesses such as banking and health care, governments are enacting laws that require businesses to provide mechanisms for protecting consumer data and privacy. And those mechanisms can’t come quickly enough, according to security experts such as Mansky:
Because of rapid changes in security threats, even huge capital expenditures for hardware and software design for the security of your network will only help reduce, but not eliminate, the risks associated with a security event. A well-organized CSIRT is one of the components of an organization’s strategy, and it is a component that needs to be embedded and embraced at all levels of the organization.
So what happens when the organization is breached? Every incident yields a cost for the organization. If caught early, the cost can be minimal. However, if an incident occurs and there is no clear plan and a good team to execute the plan, the costs associated with a breach can climb (for example Target: https://www.washingtonpost.com/news/on-leadership/wp/2014/01/13/target-ceo-opens-up-about-data-breach/?utm_term=.9ae38512b926)
As we read earlier, a good cybersecurity plan does not attempt to catch EVERY intrusion, but instead strategically focuses on: “identifying and protecting the company’s strategically important cyber assets and figuring out in advance how to mitigate damage when attacks occur.”
It is a simple fact that the number of computer and software vulnerabilities is growing and the sophistication of attacks is increasing. Organizations need to develop a comprehensive plan to secure sensitive information and ensure the survivability of their critical infrastructure.
iFinance is one of the largest banks in the country with a national network of branches, products and services that span the entire financial range—from traditional consumer banking and investment services to insurance and corporate investment banking.
iFinance was formed during the three decades ago through acquisitions of regional banks in the West and Midwest. Those banks had grown from the mergers of numerous smaller banks resulting in the acquisition or merger of dozens of banks. iFinance has billions in assets and operates 2,225 banking offices in 25 states, over 4000 ATMs, and provides online banking and mobile banking apps to both business and personal customers. The bank employs 25,000 tellers, staff, and management.
A problem facing iFinance is that, due to these mergers and acquisitions, each of its business units has its own legacy networks and vision of how security measures would be implemented to protect its resources. As iFinance has acquired more companies and increased the number of service offerings, it has become more critical that a standard set of repeatable processes be put in place to deal with security incidents. iFinance’s approach to security must be carefully coordinated across all business units to provide a coordinated, consistent, repeatable process.
The top executives of iFinance recognize that, to be successful in the financial industry, they must have a clear understanding of its security risks and be able to identify solutions to eliminate or minimize any potential threats to the organization. To get started, this fall iFinance published and distributed its security architecture plan for infrastructure security on its internal website. This activity helped iFinance articulate a starting direction for its information security needs.
You are a newly-hired Information Security Manager that started a few months ago. You have noticed that security incidents are occurring, and although these incidents are being addressed, they were being handled inconsistently across the iFinance organization. You recognize that a consistent incident response system needs to be implemented.
Submit your individual write up on the last day of the intersession (in the Inter-session Activities Assignment Area of the Bb course), prior to arriving in class.
- Use a minimum of 3 scholarly references from peer-reviewed, academic journals (must be accessed through Ottawa’s online library), and include supporting materials and references from your web-based research of the selected organization.
- Your paper and all citations/references are required to be in APA format. The Purdue OWL website is an excellent resource for APA formatting and reference examples: https://owl.english.purdue.edu/owl/resource/560/05/
- Required the following sections in your paper:
- Mission and vision statement for the CSIRT
- Identify key stakeholders that the CSIRT will serve, and how you will
- Determine the scope and levels of service the CSIRT would provide
- Staffing Recommendations – identifying and procuring personnel, equipment, and infrastructure requirements for the CSIRT
- Identify and utilize existing information security technical staff and resources to support the CSIRT activities (when needed)
- Identify any needed external resources needed
- Develop what you believe are the top 5 key CSIRT policies and procedures (based on best practices and everything you have reviewed and learned in this course, and any additional resources needed) that are required to guide all other policies and processes, given iFinance’s industry, size, structure, etc.
- Define the CSIRT reporting structure, authority, and organizational model to ensure that the team has the access, funding, and a clear mandate
- Estimate the amount of additional funding needed to implement and maintain the CSIRT
- Communications plan to make security a priority for iFinance’s many employees in offices distributed throughout 25 states
- Establish a proposed timeline for implementing the CSIRT
- Conduct research to establish ROI
- Find examples of cybersecurity incidents in similar organizations
- To identify the total cost of an incident, consider the direct costs of manpower, equipment, and lost production time, and also other indirect costs, such as the potential cost of lost business and damage to the company’s reputation and brand image.
Part 1 – Case Study Write-up Rubric:
200 points total:
15 points — 3 scholarly, peer-reviewed references
10 points – APA formatting throughout the paper
10 points – Mission & Vision Statement
10 points – Key Stakeholders
10 points – Scope of Services
10 points – Staffing Recommendations
10 points – CSIRT Organizational Structure/Reporting
50 points – Key Policies/Best Practices
15 points – Funding Request/Estimate
25 points – Communication Strategy
10 points – Proposed Timeline
25 points – ROI research/rationale
Part 2 (This will occur during your Day 3 session)- Team will be picked on Friday session
Armed with support from key stakeholders, knowledge of best practices currently being used in incident management, an understanding of the current and potential threats to iFinance, and a vision and plan for implementing a CSIRT, it is now time to make the business case to the Chief Technology Officer (CTO), Chief Operations Officer (COO), and the Chief Legal Counsel to finalize plans for funding and staffing an operational CSIRT.
Required to present a well-researched, compelling rationale that includes:
- existing/pending government regulations,
- the costs of attacks (direct and indirect costs),
- how it fits into the organization.
- Scope of Services
- Staffing Recommendations
- CSIRT Organizational Structure/Reporting
- Key Policies/Best Practices
- Funding Request/Estimate
- ROI research/rationale
- Proposed Timeline
Your team will be given time to discuss each other’ write ups, and you can combine the best aspects of your write ups into one team framework.
Your team will then present your CSIRT business case. Remember, communication and internal buy-in is key to your role as managers and executives on all projects. You are not merely presenting facts, you are “selling” your business case in a persuasive presentation.
Guidelines/Rubric: 150 points
- Your presentation is 15 – 20 minutes in length, including a clear introduction and conclusion, which clear supporting arguments.
- Be free from grammar and spelling errors, and avoid too much text per slide
- Slides include compelling and professional graphics.
- The presentation is persuasive, presenting a clear need for the CSIRT, a well-developed rationale for the team’s proposal as a solution to the need
- Every member of the team should present in a balanced and well-coordinated presentation