Hi and welcome back. This is going to be carrying on with our security incident management incident response. I'm Ralph O'Brian. Pleasure to be talking to you again today. As said carrying on with the latest of the stages of an incident response life cycle. We've done the tests, assess, we've done detect, now we're responding and learning. The response one, I'm going to get this quite easy because the response could be any thing, it's very difficult in exam to just test do you know what to do to respond from a given breach, given that a breach could be anything, but what they can do is talk about your preparation for the response if anything else. It's a lot on this slide and I apologize for it. But this is all about having incident response plans. This is all about knowing what you're going to do, and knowing what actions you're going to take and practicing for those actions. Quite often you will see exam questions around incident response planning. To me there's going to be three levels here. There's going to be command and control. The management need to have a document that tells them the roles and responsibilities, what the severity levels are for security instance, and what needs escalation. They're going to need contact information. It's hard to keep up to date definitely. They're going to need to know who they need to tell what to in terms of reporting, including the regulatory and the legal requirements. They're going to need to know when they need to talk to law enforcement and to different other authorities. You're going to need information on your key suppliers, your second parties, your vendors especially those ones that helped you with identity theft and forensics and other technology services, or of course, just your general partners that you deal with who are processing things on your behalf. When to go from security incident to business continuity, and then how to de-escalate, how to take you from that state of emergency back down through a post-incident, debriefing, and analysis into the lessons learnt, that we'll talk about in the next session. That's the senior management. Underneath the senior management of course, you then need a couple of different levels. The first level is what we're going to call a scenario-based response effects then do why. Scenario respondents you could have a global pandemic for example. What do you do? You institute the remote working plan. Now, equally other scenarios, you can have lack of access to the building. Well, we put in the remote working scenario, but what if you do if you have a data breach? What are your responses there? What is actually your scenario around the data breach effects than why? This is at certain solutions can apply to multiple scenarios. This is to understand each scenario and work out what your response would be. I've done a quite a lot of these, and it's really interesting. You see some interesting things in scenario plans like, we'll just go work at the hotel across the road. What does the hotel shut down? What if they got a wedding? Have you talked to the hotel about this before you just rock up one day. The scenario planning has got to be really important and what actions you need to engage it. Which third parties you need to talk to to help you deliver that scenario. Do you have like a failover or a backup, or you got to recover to a backup or if you've got forensic practitioners standing by, they're very expensive by the way. What resources you require, perhaps communication statements partially made ready to go. You just have to add to the details onto them. That's the second level. You've got the command and control incident response plan. You've got the scenario response plans. What does the business do effects occurs. Then finally, you've got the business unit level. Each individual business unit needs to understand their own roles and responsibilities, and if they're service provision is kits or cut or damaged, how to recover. you need to know what you need to do to recover that area of the business. What that business needs to work. Why they're interdependent on each other. What they need in order to recover themselves. What resources they need in order to work. We need to understand when the needs be up and running by. What the minimum service level is, and who else they rely on. Then what steps they need to take to manage that recovery. This all needs to be tested, really needs to be tested. Both the command and control scenario responses and the business units. Bit of advice don't do it all at once, don't disable the business by testing yourself. You can actually destroy yourself. Nobody really needs to unplug all the servers and to kill your business in order to test the business. Perhaps one business unit at a time or one scenario at the time. Perhaps do it fake. First of all, do a command, a crisis and control exercise. Get the management in a room and understand them. Help them to get trained. Help them to prepare. Understand the variables. Understand what you turn, test and control. You'll even get learning from these tests and control activity. To get learning from that you can use to improve before any scenario even occurs. Then that becomes an expert. What do you need to correct? You've had your breach, you've had your response, and the response could be anything. It could be fixing vulnerabilities. It could be training, it could need resourcing. You'd need to buy a new system. You could need to get new supplies. Anything could happen at this point. Really all the exam is going to talk about is managing those corrective actions. How would you assign tasks, monitor, and measure that those tasks are done on a monthly, weekly, hourly basis depending on what you do, and then what you can learn from those tasks? To me again, don't forget communication for less, updating your regulators, customers, your staff, your individuals, plenty of reassurance, so lots and lots of communication. Who needs briefing internally. What information do you need batch yourself as management and then externally, social media, media, customers, clients, vendors, regulators? All of these people need briefing as you recover to get back to where you would have been before the event. Final section in this is going to be about incident learning. Look forward to seeing you there.
