To discuss cyber incident response with the CEO, you must be familiar with ISO 27001, NIST's CSF, PCI-DSS NCSC'S Cyber Assessment Framework and other regulations and standards that discuss cyber incident response and incident management.
First, know that all these regulations and standards refer to one or more of the below topics:
Our NCSC-Certified Cyber Incident Planning & Response Course covers the above topics and more.
The GDPR has become synonymous with the protection of personal privacy. However, a part of this privacy regulation asks that organisations are able to timely detect and swiftly respond to data-breaches that impact the natural living person. Specifically, two articles in the EU-GDPR regulations speak about data breach notification, namely Article 33 and Article 34.
Please note: NOT all data breaches need to be reported. The points mentioned above, in relation to data breaches and GDPR, are just the tip of the ice-berg and for businesses who are inclined to becoming truly compliant, it is advisable to review our CIPR workshop and its detailed modules. The CIPR course’s module 9 on 'Regulations and Standards;' discusses exactly what you need to know and how to ensure you meet your obligations on the above requirements. UK's ICO holds the same position about reportable breaches. In the UK, the GPDR is officially known as the DPA 2018.
Reporting a breach is the easier part, especially if the media does it for you. However, to be on the front-foot you need to ensure all your 'ducks' are in order including, but not limited to, monitoring, coverage of the monitoring, detection technology, technology to protect the monitoring data and staff that are adequately trained to operate the technology stack.
(Top)
The Annex A16.1 in the ISO 27001:2013 is devoted to everything about incident management including reporting, assessment, response and lessons learnt (similar, but different to NIST). The NCSC-Certified CIPR course is geared to teach you how to achieve and comply with this section of the ISO 27001. Below are the control descriptions listed in the Annex A16.1:
ISO 27001 is often considered a prize and great effort is spent on achieving the ISO certification. In our opinion, this is a fallacy. It is our opinion that the ISMS, the Information Security Management System, the key and core component of ISO 27001:2013, must become part of the organisational culture.
When it comes to ISO 27001 Annex A16.1 controls, organisations must avoid focussing solely on the paper elements of the requirements i.e. the reporting form, the procedure documentation and instead focus on materially improving the organisation's cyber resilience posture by adopting our CIPR philosophy of CATTS. Critical Assets, Threats (to the critical assets, Threat Actors that can materialise those threats and finally Scenarios that will combine the CATT elements to impact your business. To further understand the requirements of the ISO 27001 certification, you can go through our CIPR training that delves deeper into the control descriptions given above. (Top)
The Payment Card Industry Data Security Standard is an information security standard for organisations that handle credit cards from the major card schemes. Card brands mandate the PCI Standard but the Payment Card Industry Security Standards Council administers the scheme.
In the PCI-DSS, there are several requirements that can be classified under Cyber Incident Planning & Response:
Requirement 10: Track and monitor all access to network resources and cardholder data: This requirement says you must log all user activity to critical systems components so that you can go back and 'replay' and build a clear picture of what happened, when it happened and which user was involved. To assess whether your logging systems meet this requirement, the self-assessment questionnaire for PCI DSS provides a structured approach.
Requirement 12: Maintain a policy that addresses information security for all personnel. Specifically, Requirement 12.5 says that you must assign to an individual or team the following information security management responsibilities:
We like the Payment Card Industry's Data Security Standard. It's detailed and prescriptive and even if you are not processing credit card details you should consider reviewing the above controls (and other controls) to try to improve your cybersecurity and overall cyber resiliency.
Requirement 10 is more technical and is all about logging, what you should audit, how long you should maintain those logs and more. To summarise, PCI-DSS requirement 10 asks that you be able to piece together all the pieces of the puzzle during and after an attack.
Requirement 12 is about policy and says that your staff must be trained properly on the technology and know about the various policies and procedures on cyber incident detection and response.
However, the mandates and recommendations covered here are but a glimpse into the full extent of the compliance requirements of the PCI-DSS, that we cover in our CIPR training workshop. Businesses that are directly involved in the Payments Card industry or those that are interested in enhancing their security posture by complying with these standards, would be advised to get a deeper understanding of the same. (Top)
The National Institute of Standards and Technology needs little introduction. NIST’s Computer Security Incident Handling guide has been the bible for incident response for ages. In summary, NIST (Special Publication 800-61 Revision 2) talks about four key areas including
The above four phases are just a part of the state of 'being-prepared' (only part). In our opinion, there is a significant amount of experience, effort, training and skill involved in increasing an organisation's capability in cyber resilience. We caution the reader against a dogged approach to compliance and/or religious dedication to a particular standard. To the contrary, we advise our clients to focus on the primary objective; that of ensuring a business can continue to operate and make profit when put under a significant impact by a cyber-attack. Further, for a detailed understanding of the NIST requirements, we advise our clients to conduct our CIPR training for the key security decision-makers and associated stakeholders in their business.
This is another brilliant document from NIST that mentions five key areas namely, Identify, Protect, Detect, Respond and Recover. These areas are called Functions and these are further broken down into categories and then sub-categories. The sub-categories call for specific outcomes. For example:
The Detect Function (DE) has a category Anomalies and Events (AE) and the 2nd subcategory in AE says: Detected events are analysed to understand attack targets and methods.
There are too many sections in the CSF to cover in this blog and for a detailed understanding, interested businesses can look into our CIPR course, but here are a few:
Another great document created in 2014, NIST's Cybersecurity Framework taxonomy of IPDRR (Identify, Protect, Detect, Respond and Recover) is often quoted by experienced cybersecurity practitioners around the world. We cannot say it better than NIST which says this about the CSF, "The Framework focusses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organisation’s risk management processes."
Although originally developed for Critical National Infrastructure (original document is titled, 'Framework for Improving Critical Infrastructure Cybersecurity'), the Cybersecurity Framework or CSF is used and implemented by companies from all verticals and sizes.
(Top)
Similar to NIST's Cybersecurity Framework (CSF), the UK's NCSC created a Cyber Assessment Framework or CAF that is written with specific outcomes rather than a checklist of tick boxes. The Cyber Assessment Framework is quite comprehensive and has 14 principles. An organisation can carry out a self-assessment using this framework or the assessment can be carried out by an external consultant.
The NCSC has three objectives for most Principles: Not Achieved, Partially Achieved and Achieved.
The aim here is to ensure that an organisation has resiliency built into its networks and systems so it can recover them and its business operations.
The overall objective here, as it says in the objective, is to ensure that an organisation monitors networks and systems so it can detect and track problems and to ensure existing controls are effective. Under the C1 of the NCSC's CAF, we have the following that address cyber incident response and cyber resilience.
As it says on the tin, the keyword here is proactive and to achieve that is not a simple task. Many moving components need to all align and move in unison, including having highly skilled staff, the right kind of technologies including automation technologies and optimised processes and procedures.
The full CAF by NCSC is comprehensive. Our NCSC-Certified CIPR course is the best place to get into the context of the CAF, which is also straightforward and like the NIST's CSF it does a good job at trying to capture the various stages or phases of a cyber-resilient organisation. However, many a times organisations get lost in the detail and more importantly lose sight of the main objective. That of being Cyber Resilient; being prepared to either carry on business operations or rapidly resume business operations in the face of a crisis. (Top)
As you would expect, UK's FCA has guidance on collateral on the topic of cyber incident response and more specifically notification.
Principle 11: So, the FCA has a total of 11 principles (Refer to the FCA Handbook) and Principle 11 is what concerns us. Verbatim, principle 11 of FCA's Handbook says:
A firm must deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice.
As it says, organisations must be open and transparent. This principle 11 applies to regulated and unregulated activities.
A firm must notify the FCA immediately as it becomes aware, or has information which reasonably suggests, that any of the following has occurred, may have occurred or may occur in the foreseeable future:
In addition to the above, the FCA and PRA (Prudential Regulation Authority) have a cybersecurity and cyber resilience questionnaire titled CQUEST that is divided into 6 categories, namely:
Under Principle 11 of the FCA Handbook, you must report material cyber incidents. An incident may be material if it:
As mentioned in earlier sections, this blog aims to only offer a cursory view of the important stipulations of all regulatory guidances and for a clearer perspective and guidelines on how to achieve complete compliance, you need to look at our CIPR course which covers these subjects in detail.
(Top)
If California were a country, (apparently) it would be the 5th largest economy in the world! Yes and California does unique things and is also known for taking the lead on many things, including having a similar
GDPR-like law called the CCPA (California Consumer Privacy Act).
California also has a specific law on Data Breach Notification known as the California Data Security Breach Reporting. Below is a part of what it states, verbatim.
California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorised person. (California Civil Code s. 1798.29(a) [agency] and California Civ. Code s. 1798.82(a) [person or business].)
Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) [agency] and California Civ. Code s. 1798.82(f) [person or business].)
Other US States that have similar laws include:
The above is just a summary. As in any regulations the 'devil is in the details' and if you come under the purview of the laws of California, you must check out the regulations in detail in our CIPR course.
(Top)
If you need more information on how to design the most effective cyber incident response plans and inculcate best response practices so that your business remains compliant and on top of data breaches, you could check out our NCSC Assured Cyber Incident Planning & Response course.