Term Paper: Managing Organizational Risk
Due Week 10 and worth 150 points

No longer than a decade ago, IT security professionals had to work hard to persuade organizational leaders about the importance of developing effective risk management plans. Nowadays, due to the plethora of cautionary tales that organizations history provide, business leaders are informed on the need to manage risk and understand the crucial role of an organization’s IT infrastructure on its ability to perform business.
A computer incident response team (CIRT) plan can help prepare organizations for incidents that might occur.

Write an eight to ten (8-10) page paper in which you:

1. Describe the objectives and main elements of a CIRT plan.
2. Analyze the manner in which a CIRT plan fits into the overall risk management approach of an organization and how it supports other risk management plans.
3. Provide at least two (2) examples of how CIRT plans define the who, what, when, where, and why of the response effort.
4. Analyze the manner in which the development of a CIRT plan enables management to adopt a more proactive approach to risk management. Include recommendations for remaining proactive in the continual improvement and update of CIRT plans.
5. Infer on the evolution of threats over the last decade that organizations must now consider.
6. Predict the evolution of regulatory requirements mandating risk management processes and plans.
7. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

CIS 527: Information Technology Risk Management

Abstract

To borrow the Boy Scout Motto, “Always be prepared” is the central focus of effectively managing organizational risk. Organizations must be resilient in the face of the multitude of situations that impact their operations. The help facilitate this most develop an overarching Business Continuity Plan (BCP) to provide a foundation for how the organization will respond, recovery and restore operations as quickly as possible in the event of service disruptions. Associated with the BCP is the Disaster Recovery Plan (DRP) which focuses on incidents that have, or will have an imminent large scale impact to operations. Some threats can cause large scale service disruptions but if identified and responded to early, their impact can be mitigated or remediated. This is the bailiwick of the Computing Incident Response Team (CIRT) and CIRT Plan. The CIRT Plan and members prepare for known threats, monitor for incidents of system exposure and respond quickly and appropriately to stop the incident before it becomes a disaster level event.

In this paper we will look at CIRT Plans further, discussing the following points:

1. Describe the objectives and main elements of a CIRT plan.
2. Analyze the manner in which a CIRT plan fits into the overall risk management approach of an organization and how it supports other risk management plans.
3. Provide at least two (2) examples of how CIRT plans define the who, what, when, where, and why of the response effort.
4. Analyze the manner in which the development of a CIRT plan enables management to adopt a more proactive approach to risk management. Include recommendations for remaining proactive in the continual improvement and update of CIRT plans.
5. Infer on the evolution of threats over the last decade that organizations must now consider.
6. Predict the evolution of regulatory requirements mandating risk management processes and plans.
7. Computer Incident Response Team (CIRT) Plan: Objectives & Elements

            A computer incident (CI) is, as our course text defines, a violation or imminent threat of a violation of a security policy or security practice (Gibson, 2015, p. 401). The CIRT Plan is an actual formal document that provides the guidance of how the organization will handle computer incidents. The primary objective of the CIRT Plan is to help prepare the organization for CIs and to minimize damage and organizational impact from a CI occurrence. The CIRT Plan has four main elements, CIRT Membership, CIRT Policies, Communication Procedure and Incident Handling Procedures.

• Computer Incident Response Team (CIRT) – The members are typically IT & security professionals that have knowledge and skills to address threats to organizational assets. In this element of the CIRT, the members, their roles, responsibilities and accountabilities are defined.
• CIRT Policies – This element gives direction on how the CIRT is to proceed in regard to a CI. The CIRT Policies outline the process by which incidents are to be handled through the incident response life cycle, which includes, Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-incident Recovery.
• Communication Escalation Procedures – This element provides guidance on properly communicating CIs to CIRT members to assess severity and address the CI. The CI may be isolated or it could be impacting the entire information system, requiring an escalation of communication and response to the CI.
• Incident Handling Procedures – This element provides a detail of actions that are to be taken in the event of a CI and can be in the form of a checklist(s). One of the key functions in this element is to calculate the impact of a CI and prioritize response to it.  

1. Organizational Risk Management and the CIRT Plan

            The CIRT Plan is the first line of defense and the members are the first responders for CIs. As previously stated, the CIRT helps the organization prepare for incidents, in order to engage them with a quick and focal response. The CIRT Plan aligns with the organizations Risk Management program and supports business continuity as well as disaster recovery efforts by providing initial identification, response and, if needed, escalation with regard to CIs. The strength of the CIRT Plans lies within the CI preparation efforts, the structure of the policies & procedures and the expertise CIRT members to respond swiftly and accurately to the CI. As with other Risk Management plans, the CIRT Plan is not meant to be static but requires regular review and revisions as needed. The CIRT members need to be aware new iterations threats and mitigations strategies.

III. CIRT Plan: The 5 W’s of Incident Response

            In any investigation, answering the “5 W’s” provides a wealth of important information to address CIs when they occur. CIRT members need to find out,

1. What type of CI has happened
2. Where did the CI happen
3. Who launched the CI
4. When did the CI happen
5. Why did the CI happen

The more of these questions that can be answered the easier it will be for the CIRT to identify and contain the CI.

            One example of how this takes place is from our course text, (Gibson, 2015, pp. 404-405), in describing how attackers stole credit card data and manufactured fake credit cards. The attackers hired women to use the fake cards to purchase thousands of dollars worth of products to be sold to black-market buyers who then sold the items off a reduced prices.

            This example pales in magnitude to the 2013 hack of Target. After significant research the identity of a hacker, Andrey Khodyrevskiy with strong circumstantial connection to the assumed name, Rescator, who was selling stolen Target data out of the Odessa, Ukraine, a known hotspot credit card number trafficking. The investigation determined that Target’s network was breached using stolen network credentials from Fazio Mechanical Services, a HVAC subcontractor that worked at several Target locations. With this access, the hacker(s) was able to deploy the malware to a handful for Point-of-Sale registers to test the malware was working correctly. Within 2-3 days the hacker(s) had pushed the malware out to most of Target’s POS registers and began collecting data, [1]. Although triggering alerts with FireEye, the malware lowered suspicions by staying in place for about 2 weeks before it began sending data to different staging servers within the U.S., only during normal operating hours, until hosting service in Moscow [2].      

1. CIRT Plan Development: Adopting a Proactive Risk Management Approach

            CIRT Plan development is itself proactive. Based on assessed risk(s) the CIRT Plan establishes policies, procedures and identifies CIRT members, their roles and responsibilities in order to prepare and respond known threats and CIs. As with DRPs and BCPs, CIRT Plans are created to provide a structured guide the addressing CIs before they actually occur. Although preparation is integral to effective CIRT Plans and execution, mitigation is only effect with foreseeable threats. Because of this it is incumbent that the CIRT Plan is developed and then left to atrophy. Some recommendations for CIRT Plan resilience are as follows,

• Conduct regular reviews & testing of the CIRT Plan to ensure policies & procedures are still relevant and most effective. As deficiencies are identified or better procedural approaches developed, revise CIRT Plan and implement them.
• Conduct regular monitoring and maintenance of information systems & controls. Ensure that security patches & updates are applied in a timely manner to system and security utilities.
• Ensure that CIRT members continually updating their awareness of current security threats and mitigation strategies as well as maintain demonstrated competency with regard to their content speciality.    

1. Risk Management: Evolving Threats Require Evolving Strategies

            In the article Knowledge Doubling Every 12 Months, Soon to be Every 12 Hours, David R. Schilling writes the following:

Buckminster Fuller created the “Knowledge Doubling Curve”; he noticed that until 1900 human knowledge doubled approximately every century. By the end of World War II, knowledge was doubling every 25 years. Today things are not as simple as different types of knowledge have different rates of growth. For example, nanotechnology knowledge is doubling every two years and clinical knowledge every 18 months. However, on average human knowledge is doubling every 13 months.  According to IBM, the build out of the “internet of things” will lead to the doubling of knowledge every 12 hours [3].

It is unbelievable the extent and speed at which information will grow.  It was just 9 years that Apple brought handheld computing in user-friendly package, and at a price point, to the masses and changed the world of communication. Today, most people, young and old, can barely function without referring to their “smartphone” for assistance, or other mobile device. With this boom of technology, there is a fertile landscape for hackers to exploit.

            With advancing attack techniques for Denial of Service attacks, Crypto-Locker / Ransomeware, Spear Phishing and sophisticated Social Engineering scams, combined with the prevalence of mobile devices and Wi-Fi or Bluetooth peripherals, as well as the “Bring Your Own Device” push by some employers, organizations have to forward-thinking and precautionary about the types of technology their information systems and networks are exposed to. Mobile security utilities are far behind that of security for our desktops/laptops and hackers are taking aim at those platforms. If they can get on your phone, tablet or Bluetooth enabled device, the hope is you will take it to work and connect to the organizations network and exploit it. The same recommendations apply here as stated earlier, with CIR-Team training, system/networking hardening, security patches & updates and system testing. Other consideration and best practice is to subscribe to security notifications from providers of security threat databases, such as US-CERT, [4]. They provide alerts and emails regarding the newest threats.

1. Risk Management: Regulatory Compliance and the Future

            There is no turning back. The world is wired together and although it has been in the business sphere for decades, the advent of the World Wide Web advances in mobile connectivity and the push toward more virtual computing in the “cloud” the risks of lost data and wealth have grown exponentially in the last decade. I know there are governmental regulations in place to protect and organizations as well as the public but when you compare the speed of government with that of hackers who do not abide rules and the speed of technological change, I fear targeted and effective regulations will over taken by broad sweeping and hyper restrictive government controls. The IT industry has been unique in that it has, by comparison to others, done a good job of policing itself. The core belief that information should be free to share with colleagues and friends spawned a parallel universe, if you will, where we can take virtual tours of other countries, by groceries, books, car parts and cat food or take university classes from our office chair at home. This connectivity, this access is also a vulnerability when we as individuals and organizations do not take responsibility in protecting our assets. If we do not protect ourselves and thus, those we are connected to, I can only be concerned by the breadth and scope with which regulatory compliance will expand.  

References

Gibson, D. (2015). Managing Risk in Information Systems, 2nd Edition [VitalSource Bookshelf version]. Retrieved from https://bookshelf.vitalsource.com/books/9781284107753

[1] Krebs, B. (2014, February, 14). Target Hackers Broke in via HVAC Company. KrebsonSecurity.com. http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

[2] Riley, M. Elgin, B. Lawrence, D. and Matlock, C. (2014, March 13). Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. Bloomberg Business.  http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data#p1

[3] Schilling, D.R. (2013, April, 19). Industry Tap, Knowledge Doubling Every 12 Months, Soon to be Every 12 Hours. Retrieved from http://www.industrytap.com/knowledge-doubling-every-12-months-soon-to-be-every-12-hours/3950

[4] Department of Homeland Security, US-Cert. https://www.us-cert.gov/ncas

 

Your assignment must follow these formatting requirements:

• Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
• Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.

The specific course learning outcomes associated with this assignment are:

• Create a Computer Incident Response Team (CIRT) plan for an organization in a given scenario.
• Use technology and information resources to research issues in IT risk management.
• Write clearly and concisely about topics related to IT risk management using proper writing mechanics and technical style conventions

Click here to view the grading rubric.