An effective incident response process

Thanks to the great people at SC Magazine for publishing this piece of mine.

Security and privacy incidents pose real risks to companies of any size and complexity.

These types of unwelcome events do not discriminate. The steps your company takes to deal with the response and remediation, however, will allow you to differentiate yourself from other companies who suffer the same fate.

An excellent first step in the incident response process is to simply define and understand what the terms violation, incident or breach mean in the context of your industry's lexicon. The terms may already be defined by regulations or laws that govern your industry or company. If so, you should align your understanding with these already-defined measures since you will probably be legally held to them in the case of an incident. It also will be beneficial to try and articulate the possible scenarios that are likely to occur in your line of work. While you cannot possibly define every likely incident, you should be able to imagine a short list of the ones within the realm of possibility.

Second, define, document and publish procedures that are to be followed in the event of an incident. However, the procedure should include steps to take in reaction to the incident that define who does what and when. The procedures don't necessarily need to be overly detailed or verbose, but they should avoid being subjective or too generic so as not to invite indecision or confusion during a time when you least want it. Having a single procedural guide on which to rely during incidents fosters accountability and follow-through.

Once a central point of contact is appointed, then a response team can be created. Depending on your company, this may be an army of one or a group of 25. If you don't have the luxury of dedicated resources, then a virtual team can be named that comes together in a time of crisis, and then just as quickly dissolves once the storm has passed. This process allows a company to harness the particular expertise of its employees, while still allowing them to do their day jobs.

In this age of free-flowing information, your customers and clients do not realistically expect you to never have a security or privacy breach. No rational person expects all of their data, in all its iterations, in all locations, to forever remain safe and secure. What those customers and clients do expect of you is to have a process in place to reasonably prevent the incident from happening and, when it does happen, have a plan in place to deal with the consequences. Part of those consequences involve notice to clients and customers of what happened, details on how you will rectify the current situation and, finally, plans to ensure that this same event does not happen in the future.



From the October 2009 Issue of SCMagazine  (http://www.scmagazineus.com/An-effective-incident-response-process/article/151825/)

The Privacy Paradox Part I

"You have zero privacy anyway. Get over it." - Former Sun Microsystems CEO, Scott McNealy.

With the increasing evidence of the lack of personal privacy that average Americans are experiencing daily, it might be interesting to try and uncover possible culprits and root causes. Technology? The Government? Global warming? Nope. Here's the answer: You. Read on.

Forget about the lack of privacy for a second. Instead, think about all you do to try and stay secure, and low profile enough so as not to make yourself a target for identity theft: you shred all of your sensitive documents, you only do business online with SSL enabled websites, you check your credit score annually, you read your credit card statements carefully. And yet, ironically, many of your daily habits work to undermine the anonymity and low visibility to seek to maintain. How? Simple. Throughout the week, in the on and off-line world, start counting up all of the places you leave an electronic fingerprint or footprint big enough that Hansel and Gretel would have no problem following it home, let alone someone more nefarious trying to track you.

Let’s start in the morning. You head to Starbucks for coffee and breakfast. You pay with your Starbucks card and a little crumb is left that you were there. (Literally and figuratively.)

As you head over the bridge, you maneuver towards the E-ZPass lane to expedite your crossing, while the camera reads your E-ZPass tag and debits your account for the $4 toll. At the same time, it records that you were crossing the bridge, again, that morning at around the same time every week day.

Once you’re at work, all day you’ll be logging into websites that you typically frequent that will greet you will the “Welcome Back!” message since you checked the “Remember Me” box on the sites and a ‘cookie’ was placed on your computer. Ostensibly created to enrich the surfing experience and save the users from logging in every time, the cookies tell the websites not only when you went to the site but what kind of things you like to do when you are there. You may have even given them a credit card to hold for you as a matter of convenience! (Yours or theirs?)

You head to the gym at lunch and swipe your bar-coded gym card to let L.A. Fitness know you exercise at least 3 days a week. After the gym, you stop at Chick-fil-A for a grilled chicken sandwich, which you pay for by credit card. MasterCard now knows you like waffle fries.

You stop on the way home from work at ShopRite for flowers for the wife and before you pay, you swipe your ShopRite Plus card at the register to save $1.50 on the bouquet, and, unknowingly, to help Shop Rite know to not only order another batch or orchids for its inventory, but what your shopping preferences are as well. Finally, you make a call to home to let them know you’re running late. But the GPS tracking in your iPhone already knows this.

And this is all in just one day…the pattern amplifies once you begin to travel further away from home and to other countries. Everything collected about so far was possible because you felt it a worthwhile voluntarily tradeoff of a bit of your privacy for the sake of convenience and efficiency; none of it was required or mandated by anyone.

Here’s the kicker. Think of the proverbial frog in the pot; you turn up the heat immediately and he jumps out. If you slowly turn up the heat incrementally, he boils to death without realizing it. So you think you are losing your privacy little by little every day? Guess what? You are. And it’s not because the government or advancements in technology is necessarily taking it away, it is because you are giving it away. Little by little. And you may not realize it. Just like the little oblivious frog.