To declare it as an incident you need to show ...
1) it to be an un-usual occurrence (which it is)
2) there is possible harm or an attempt to harm the organization (which it is)
Steps of incident response (order is important) ...
1) A steady-state cycling b/w "Preparation" and "Identification" states. (sorry
can't detail this here)
2) Containment (short-term and long-term) after incident has been identified
and declared.
3) Eradication
4) Recovery
5) Lessons Learned
Fixing the blame on the employee within the incident handling cycles is not
conducive to the IR effectiveness, other processes should take care of this
activity; however, make sure that whatever you or others do, remains within
forensically sound practices vis-a-vis any evidence that you might have.
Deployment of a rep to the site to collect information.
Evaluate what can be done to contain the losses that can be caused by this
event. And activate *pre-existing*, *pre-thought-out* plans that you have
decided to deal with such an incident. It helps to know what was on the
laptop. Some of the things to do will be to break trust relationships from the
laptop to other machines. Evaluate what sensitive data might have been on the
laptop etc. See if there are mandatory reporting requirements associated with
loss of such data etc.
Containment should again be done with an eye for forensically sound evidence
handling. Also it is this phase where you (try to completely) separate the
evidence from your environment so that advance stages of containment and
eradication do not affect the evidence: I leave it to you to figure out what
in means in the context of a laptop theft :)
Containment might also involve evaluating the physical controls that failed and
resulted in the theft. (Propose some immediate corrective action so that such
events are contained -- detailed handling of corrective policies happens in the
lessons learned phase).
Move on to Eradication where you remove cause for the incident and completely
remove the offending factor. Again, what it means in this context needs
thought.
Move on to lessons learned. Have a meeting, socialize your lessons learned
with others; find out what can be done differently and better to minimize such
losses. May be encrypt data on the harddrives etc. etc.
Formalize a reporting process; get all parties to agree on your findings
(signed acknowledgement) or in case of a disagreement make sure that the points
of disagreement are clearly identified and documented (signed acknowledgement)
so that disagreeing party can not discredit the whole report in a court of law.
Regards,
--
Raoon Kundi, CISSP
Identity Architect
PS: Most of this if from a SANS Class for incident handling.
----- Original Message -----
From: rifa 1987
To: CISSP-Discuss@yahoogroups.com
Sent: Wednesday, May 30, 2007 7:05 AM
Subject: [CISSP-D] Question about laptop theft & Incident Response
Hi all,
Let's say a laptop of employee's company X has stolen. The laptop (of course
belongs to the company X) containing valueable information like financial info,
etc. From the security perspective and procedure to handle this kind of event:
1) The employee remain responsible for the tangible asset lost (laptop) based
on agreement made between company X and the employee before assigned the laptop.
2) Investigation must be be performed to distinguishes whether user
negligence (or not) to judge point no (1).
3) Estimate the lost of intangible asset.
4) .....
5) ....... (please give idea what missed here)
Is that event can be categorized as an incident? Then declaring incident
response procedure?
Many Thanks
Rifa
------------------------------------------------------------------------------
Get the free Yahoo! toolbar and rest assured with the added security of
spyware protection.
