Question

In the context of ABC Inc., which is a large on-line electronic product company, answer the following questions.

1. State three regulations and standards that it should comply with.
2. List the responsibilities (role) of Information Security Officer in ABC Inc.
3. Suggest a reporting structure (as a diagram) for ABC Inc., assuming it has 2 million customers, 2000 employees, approximately 20000 transactions each day, and $2 billion sales. Give a brief justification.
4. Describe an incident response plan for ABC Inc. Write it as a list of steps with a brief description for each.

Answer 1

1. Regulations and Standards

Regulations

Businesses engaging in e-commerce are required to provide certain details on their websites in accordance with the Electronic Commerce Regulations. They should also be aware of their duties under the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013. The information that must be provided includes:

• details about your business
• goods and/or services which are being sold and pricing
• payment and delivery arrangements
• the right of the consumer to cancel their contract within a specified time
• if applicable, details of the trader’s complaints handling policy
• where applicable, any compatibility of digital content with hardware or software

Customers have the right to cancel their contract within 14 calendar days - this is commonly referred to as a 'cooling off period'. This applies even if services have commenced in the cooling off period. Cancellation must be in a prescribed form. There is an exception for digital content if the customer acknowledges the loss of the right to cancel.

Standards

Standards are instructions, specifications or measurements that serve as specific benchmarks for expected normal practices in an organization. In general, a standard is a reference point, model, or rule for implementing practices or procedures and for evaluating results.

In essence, a standard is an agreed way of doing something. It could be about making a product, managing a process, delivering a service or supplying materials standards can cover a huge range of activities undertaken by organizations and used by their customers.

2. Role of Information Security Officer in ABC Inc.

Information security officers monitor the organization's IT system to look for threats to security, establish protocols for identifying and neutralizing threats, and maintain updated anti-virus software to block threats. They are responsible for setting the computer usage protocols for their organization, for facilitating training on minimizing threats to the IT system, and for determining which types of software the organization should use. Information security analysts investigate cases where the IT system has been compromised and take the appropriate action to resolve the problem. Information security analysts work in both the public and the private sectors. Since the nature of their work involves working with computer systems, they work in clean, climate-controlled environments and must be able to sit for long periods of time.

3. Reporting Structure for ABC Inc.

4.Incident Response Plan for ABC Inc.

An incident response plan should be set up to address a suspected data breach in a series of phases. Within each phase, there are specific areas of need that should be considered.
The incident response phases are:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

1. Preparation

This phase will be the work horse of your incident response planning, and in the end, the most crucial phase to protect your business. Part of this phase includes:

• Ensure your employees are properly trained regarding their incident response roles and responsibilities in the event of data breach
• Develop incident response drill scenarios and regularly conduct mock data breaches to evaluate your incident response plan.
• Ensure that all aspects of your incident response plan (training, execution, hardware and software resources, etc.) are approved and funded in advance

2. Identification

This is the process where you determine whether you’ve been breached. A breach, or incident, could originate from many different areas.

Questions to address

• When did the event happen?
• How was it discovered?
• Who discovered it?
• Have any other areas been impacted?
• What is the scope of the compromise?
• Does it affect operations?

3. Containment

When a breach is first discovered, your initial instinct may be to securely delete everything so you can just get rid of it. However, that will likely hurt you in the long run since you’ll be destroying valuable evidence that you need to determine where the breach started and devise a plan to prevent it from happening again.

Questions to address

• What’s been done to contain the breach short term?
• What’s been done to contain the breach long term?
• Has any discovered malware been quarantined from the rest of the environment?
• What sort of backups are in place?

4. Eradication

Once you’ve contained the issue, you need to find and eliminate the root cause of the breach. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied.
Whether you do this yourself, or hire a third party to do it, you need to be thorough. If any trace of malware or security issues remain in your systems, you may still be losing valuable data, and your liability could increase.
Questions to address

• Have artifacts/malware from the attacker been securely removed?
• Has the system be hardened, patched, and updates applied?
• Can the system be re-imaged?

5. Recovery

This is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again without the fear of another breach.

Questions to address

• When can systems be returned to production?
• Have systems been patched, hardened and tested?
• Can the system be restored from a trusted back-up?
• How long will the affected systems be monitored and what will you look for when monitoring?
• What tools will ensure similar attacks will not reoccur? (File integrity monitoring, intrusion detection/protection, etc)

6. Lessons Learned

Once the investigation is complete, hold an after-action meeting with all Incident Response Team members and discuss what you’ve learned from the data breach. This is where you will analyze and document everything about the breach. Determine what worked well in your response plan, and where there were some holes. Lessons learned from both mock and real events will help strengthen your systems against the future attacks.

Questions to address

• What changes need to be made to the security?
• How should employee be trained differently?
• What weakness did the breach exploit?