Whip Your Incident Response Program into Shape

Transcription

1 Whip Your Incident Response Program into Shape 1 Agenda Introductions Understand requirements behind an incident response program (IRP). Identify the different components of an effective IRP. Learn how to prepare for your testing exercise. Learn how to develop meaningful testing scenarios. Understand how to conduct and document the testing. Questions 2 1

2 INTRODUCTIONS 3 Today s Speakers Nadia Fahim-Koster, Director, Meditology Services 14+ years experience in healthcare IT security and privacy leadership Previously CISO and Chief Privacy Officer for several large health systems Certified CISSP, HCISPP, and HITRUST CCSFP Advises healthcare clients coast to coast on privacy and security Kim RoSser, R.N., Senior Associate, Meditology Services Certified HITRUST CSF Practitioner Extensive Risk Assessment experience working with HITRUST, HIPAA, FISMA, and NIST Registered Nurse with 20+ years of clinical experience Meditology is dedicated to delivering expertise and leadership in information privacy and security, compliance, and audit, specifically for healthcare 4 2

3 REGULATORY REQUIREMENTS 5 Requirements The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to identify and respond to suspected or known security incidents, as well as mitigate to the extent practicable, harmful effects of security incidents that are known to the covered entity, and document security incidents and their outcomes. 6 Source: Department of Health & Human Services: HIPAA Security Series: Requirement (a)(6)(i) Response and Reporting. 3

4 COMPONENTS OF AN EFFECTIVE INCIDENT RESPONSE PROGRAM (IRP) 7 Policy The National Institute of Standards and Technology (NIST) recommends that the following elements be included in the IRP policy: Statement of management commitment Purpose and objectives of the policy Scope of the policy Definition of security incidents and related terms Roles, responsibilities, and levels of authority Severity ratings of incidents Performance indicators Reporting and contact forms NIST Special Publication , Revision 2 Computer Security Incident Handling Guide 8 4

5 Plan The plan should be tailored to the size, structure, and mission of your organization. NIST recommends that the following elements be part of your IRP plan: Senior management sponsorship and approval Goals and objectives for incident response Organizational structure of the various team members, their resource requirements, and their roles Communication process for internal and external entities Outline of the incident response methods for each classified incident from the policy Metrics for evaluating the effectiveness of the team and process Processes for annual review and evaluation 9 Organizational Structure Command Define the Incident goals and operational period objectives Includes an Incident Commander, Safety Officer, Public Information Officer, Senior Liaison, and Senior Advisors Operations Logistics Planning Admin/Finance Establishes strategy (approach methodology, etc.) and specific tactics (actions) to accomplish the goals and objectives set by command Coordinates and executes strategy and tactics to achieve response objectives Supports Command and Operations in their use of personnel, supplies, and equipment Perform technical activities required to maintain the function of operational facilities and processes Coordinates support activities for incident planning, contingency, long range and demobilization planning Supports Command and Operations in processing incident information Coordinates information activities across the response system Supports Command and Operations with administrative issues as well as tracking and processing incident expenses Include such issues as licensure requirements, regulatory compliance, and financial accounting 10 5

6 Statement of Management Commitment Management commitment and responsibilities include: o Program management o Program review and updates o Development of a review panel or task force if hazards are identified, or for deployment after an event to assist in its review o Assisting with training o Enforcing disciplinary actions as needed o Interaction and assistance with regulatory and response agencies 11 Purpose and Objectives Purpose and objectives of the policy To ensure that information security events, and weaknesses associated with information systems, are handled in a timely manner and allow corrective action to be taken. Governs the actions required for reporting and responding to security incidents involving client information assets. Ensures effective and consistent handling of such events to limit any potential impact to the confidentiality, availability and integrity of client information assets. 12 6

7 Scope Scope of the policy: Applies to all workforce members, users, and all personnel affiliated with third parties who access or use client information assets, regardless of physical location. Also applies to: o Information technology administered in individual departments o Technology administered centrally o Personally-owned computing devices connected by wire or wireless to the client network o Off-site computing devices that connect remotely to client network 13 Definition of Security Incidents Security Incident: a violation, or imminent threat of a violation, of IT or Information Security policies, procedures, acceptable use policies, or standard security practices. Security Incident Response Team (SIRT): a group of individuals set up for the purpose of assisting in responding to security-related incidents. Unauthorized Access/theft: unauthorized access encompasses a range of incidents from improperly logging into a user's account (e.g., when a hacker logs in to a legitimate user's account) or unauthorized usage of logon credentials to obtaining unauthorized access to files and directories possibly by obtaining "super-user" privileges. Virus: self-replicating, malicious program segment that attaches itself to an application program or other executable system component and leaves no external signs of its presence. 14 7

8 Roles and Responsibilities Roles, responsibilities, and levels of authority Role Primary Incident Handler Incident Coordinator Function The assigned owner to a security incident after the initial notification Ensures coordination, documentation, and communication with the SIRT and any other departments or organizations directly involved in the security incident Responsible for the quality of the incident handling procedures for the assigned event Designates incident roles and responsibilities per incident Manages team members assigned to specific tasks during an incident The communication point between SIRT groups, members and the Primary Incident Handler Makes sure that the team is focused on their goal and reports any findings up the chain of command Prepares a written summary of the incident and corrective action taken Documents all details of an incident and facilitates communication Onsite Incident Handler Incident Sponsor (Executive Leadership) Lead handler during offsite incidents and will be responsible for gathering evidence and making sure proper procedures are followed as defined by the Primary Incident Handler. The SIRT should have a member of the management team as its sponsor. Users/ Employees Report suspected or known security incidents through the IT Service Desk Cooperates with investigative personnel during investigation if needed 15 Severity Ratings Severity ratings of incidents Severity Level Description Examples Critical/ High Incidents that are extensive, widespread and where the impact is severe. Malicious code Unauthorized access DOS affecting critical services Data breach Outages Attack against infrastructure Medium Incidents where the impact is significant. Attempts to gain unauthorized access Open mail relay Low Incidents where the impact is minimal (minor, localized incidents). Unauthorized network probes or system scans Isolated virus infections 16 8

9 Performance Indicators List of possible metrics is provided below: Total number of incidents (as a control measure) Breakdown of incidents by stage (logged, work in progress, closed, etc.) Size of current incident backlog Number and percentage of major incidents (as well as other impact, urgency and priority) Mean elapsed time to achieve incident resolution or circumvention, broken down by impact code Though a lengthy list, it is not exhaustive.. 17 Reporting and Contact Forms Reporting and contact forms Sample contact form Incident Report covers the following key areas: Incident Identification Information Incident Summary Incident Notification Incident Workflow Action Summary Post Incident Analysis Artifacts 18 9

10 Procedures The most common procedures include the following elements: Communication both internal and external to your organization Escalation notification Incident tracking forms Incident reporting and documentation Investigation checklists by technology platform Remediation checklists by risk and threat classification Security information event management (SIEM) Evidence collection and handling chain of custody Forensics investigation and documentation Data retention and destruction Non-disclosure agreements 19 PREPARE FOR YOUR TESTING EXERCISE 20 10

11 Testing Preparation A good IRP test requires adequate preparation: Review every component of your IRP including your IRP Policy Assess your procedure documentation for potential improvements and/or changes Identify the different teams listed within the IRP to know who the participants of the exercise will be Determine whether you will involve every member of every team, or just a representative 21 Testing Preparation Every role should have 2 tiers (primary and secondary) Roles to include: o Internal communications o External communications o Human Resources o Legal o Executive Leadership o Marketing 22 11

12 DEVELOP MEANINGFUL TESTING SCENARIOS 23 Meaningful Scenarios Create the scenarios that will be used during the exercise: Align the scenarios with the incident criticality levels as identified in the IRP plan Create scenarios that align with real-life incidents in the industry Scenarios should test for the effectiveness of your organization s HIPAA Breach Notification plan 24 12

13 Low Incident Jessica in HR has been busy interviewing candidates for positions within Client. She mistakenly ed one of the candidates a document containing employee demographic information. She immediately notifies her manager. What next steps should be taken? 25 Medium Incident Several employees have reported the following From: Smith, John [john.smith@clientinc.com] Sent: Friday, July 15, :15PM Subject: System Administrator UPDATE YOUR MAIL BOX QUOTA Your mailbox has almost exceeded its storage limit. It will not be able to send or receive s if exceeded it limit and your account will be deleted from our servers. To avoid this problem you need to update your mailbox quota. By clicking on the link below and filling your login information for the update. If we do not receive a reply from you, your mailbox will be suspended. Thank you for your cooperation 26 13

14 Critical Incident: Hacktivist Threat & Attack Receptionist receives a threatening phone call from Pro Life Radicals objecting to <CLIENT> s support of birth control and contraceptives. Pro Life Radicals state, YOU HAVE 7 DAYS TO PUBLICLY MAKE A STATEMENT PLEDGING <CLIENT> WILL NO LONGER PROVIDE ANY CARE THAT DOES NOT ALIGN WITH PRO LIFE IDEALS. <CLIENT> IS NOT TO PROVIDE BIRTH CONTROL, CONTRACEPTIVES, NOR ANY PREGNANCY ENDING PROCEDURES. FAILURE TO COMPLY WILL RESULT IN THE MARRING OF THE <CLIENT> BRAND AND REPUTION, ALONG WITH THE LOSS OF THE CONFIDENTIALITY PROMISED TO YOUR PATIENTS. THIS MESSAGE WILL BE DELIVERED DAILY UNTIL COUNTDOWN EXPIRES. 27 CONDUCT AND DOCUMENT THE TESTING 28 14

15 Conducting the tabletop exercise Designate a facilitator (akin to a Dungeon and Dragon game master) Facilitator should outline his/her role and responsibilities o help participants step through the exercise in an organized manner o ensure the active participation of all team members o raise difficult questions o make certain that the IRP is being followed o verify that any identified issues are documented Ask members to introduce themselves and the areas they represent Have several copies of your organization s IRP on hand! 29 Conducting the tabletop exercise Describe to the team what your organization intends to accomplish by conducting an IRP tabletop exercise Explain what an example scenario looks like and how you will walk the participants through the incident Describe the role of the scribe(s) Choose to begin with either a low-level incident or a critical-level incident Read the scenario to the team and give them a few minutes to digest the information before proceeding 30 15

16 Conducting the tabletop exercise Get the team started by asking them some questions such as: o How would you handle this incident? o Who should the charge nurse notify? o Who would be notified next? Be sure teams adhere to the IRP documents During the second scenario, introduce unexpected variables to throw the team off guard and see how they handle new, unexpected information 31 Conducting the tabletop exercise HOTWASH: Summarize the events Run through the list of to-dos identified by the team during the exercise Perform a lessons learned session Survey participants: 1. Did you get what you needed? 2. Did everyone in your group participate? 3. What did you learn? 4. What would you change? 32 16

17 Documenting the tabletop exercise Writing the report is probably the most difficult part of the tabletop exercise. Ensure the scenarios are described and include all the notes for each scenario, including candid conversations Include takeaways and a to-do list, as well as all associated notes Keep the report handy for the next time you conduct a tabletop exercise, because you will need it to verify that any required updates were made 33 Questions Nadia Fahim Koster Director, IT Risk Management nadia.fahim koster@meditologyservices.com Kim RoSser Sr. Associate, IT Risk Management kim.rosser@meditologyservices.com 34 17