Introduction

We begin Volume 2 with a discussion about people. As you strive to create a world-class cybersecurity program, you must recognize and address the critical human element. We look at the human element from several different perspectives. We include the technical skills that are required and how to assess them; motivating, inspiring and nurturing the people on your team; and understanding the environmental factors that impact your talent pool and your hiring decisions.

Bill Bonney offers a lot of practical advice on assessing, recruiting, motivating and developing the people on the CISO’s team. But he also recommends an honest assessment of the tasks that can realistically be outsourced to third parties and proposes that you look at how technology, specifically artificial intelligence, can help you be more effective in meeting your goals. Bill includes a bit of a call to arms for our industry to address the shortfall of qualified candidates.

Matt Stamper suggests that CISOs should carefully consider how they define each position. It is essential that requirements and job descriptions are realistic and appeal to the people you are trying to attract. Matt also thoughtfully unpacks several factors, both internal and external to the organization, which impact the composition of the talent pool for any particular hire.

Gary Hayslip takes a data-driven approach to workforce planning that acknowledges the fierce competition for talent in the field of cybersecurity and offers practical advice for motivating the people on your team. He continues using data to define a set of metrics to help the CISO determine if the talent on the team is delivering the outcomes that are needed and to help develop the training necessary to close any gaps.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  How do CISOs develop their hiring priorities to support the organization and their cybersecurity program effectively?

♦  What hard and soft skills does the CISO believe their cybersecurity program requires?

♦  How can I construct a training program that will keep my team’s knowledge, skills, and techniques current?

♦  What metrics can I use to measure the effectiveness of my cybersecurity team’s capabilities to provide security services and reduce risk to the organization?

Talent, Skills and Training – Bonney

I think it’s important to put the topics of recruiting, skills, training, and development in the larger context of talent management and the still larger context of the changing workforce demographics and the technical skills shortage that we face in industry – the so-called “War for Talent.” My point is not to give the reader comfort that this is a problem faced by many companies across most industrial sectors and throughout the entire world economy because that doesn’t absolve us from dealing with the problem, but rather, to draw attention to the true scope of the problem.

In the larger sense, we are dealing with a fundamental transformation of the use of human capital, on par with the industrial revolution. We should keep this in mind when determining how to approach our talent issues. Yes, the short-term tactical advice is always useful. But, planning for the long term can’t be ignored and will take a combination of human resource planning, government policy changes, new capacity and new approaches in our education systems, and new technology. These changes will require us to work differently with partners and suppliers to achieve the outcomes we want. We can’t rely on the old models of allocated headcount with defined duties and desired skills to just “get the work done.”

Talent and the Human Element

Let’s first put the topics for this chapter in the larger context of talent management. Talent management as a discipline traditionally includes four pillars: recruitment, learning, performance, and compensation. This chapter is focused on recruitment and learning which is done for an outcome (performance) at a price (compensation). Keep in mind that the purpose of talent management is to create a high-performing, sustainable organization that meets its strategic and operational goals and objectives. The goal we have for talent development is to:

♦  allow the Information Security team to develop the skills and capabilities to continually adapt to changing business and threat environments, thereby

♦  help the larger organization identify and manage the risks that threaten its information and operations technology, in order to

♦  safeguard the organization’s data (both generated and entrusted), and

♦  protect the people and operations from cyber and cyber-kinetic harm, thus

♦  enabling the organization to compete with less drag and friction.

I think to be successful with how we approach building and developing our team’s capabilities we need to consider the human element. Several different works that share some similarities with each other are helpful here. The first is a book called Drive: The Surprising Truth About What Motivates Us (Pink 2009) by Daniel H. Pink. The second is a study conducted by Tony Schwartz of The Energy Project along with Christine Porath, an associate professor at Georgetown University’s McDonough School of Business. The study is summarized well in an article in the New York Times (Porath 2014). The third is an article in the MIT Sloan Management Review (Gunter K. Stahl 2012) called “Six Principles of Effective Global Talent Management.”

What is common to these works is the assertion that the sense of purpose that each person has for their work is more indicative of their engagement and success than their skills. The argument is that affinity is a more important predictor than efficiency.

That is not to say that skills aren’t important. On the contrary, one has little chance of being successful without possessing the skills required for the job. But it would be worth your time to review these works. Daniel Pink tells us that by providing our teams with opportunities for autonomy, mastery, and purpose, we are providing the key ingredients to motivate our people. Tony Schwartz and Christine Porath tell us that employees are vastly more satisfied and productive when four of their core needs are met:

♦  physical, through opportunities to regularly renew and recharge at work;

♦  emotional, by feeling valued and appreciated for their contributions;

♦  mental, when they can focus in an absorbed way on their most important tasks and define when and where they get their work done;

♦  and spiritual, by doing more of what they do best and enjoy most, and by feeling connected to a higher purpose at work.

Gunter Stahl, et al., found that large successful companies adhere to six key principles rather than traditional management best practices focused on maximizing the four pillars listed above. Those key principles are:

♦  alignment with strategy,

♦  internal consistency,

♦  cultural embeddedness,

♦  management involvement,

♦  a balance of global and local needs, and

♦  employer branding through differentiation.

Therefore, I’d like to suggest that we think of the people we work with, who help us achieve our outcomes, as people, not just talent. We would like to hire the best people with the right skills and mindset, help them become even better at what they do, have them share a common set of goals, and have them engaged and happy to be part of our team for the long haul.

Recruitment

With the human element considered, let’s turn to the issue of recruitment. I referred at the beginning of this chapter to the “War for Talent” and noted that we are dealing with a fundamental transformation regarding how we deploy human capital. These changes affect different industries in unique ways and the various functions within organizations in very different ways. Three factors I think we need to address are the scarcity of qualified workers, third-party service delivery, and augmentation using artificial intelligence.

Scarcity of Qualified Workers

A significant result of the industrial revolution was the migration of populations from rural to urban centers. This migration was aided by several factors. Among these factors were the ability of manufacturers to expand the capacity of their workforce, the resulting increase in productivity and profitability of doing so, the resulting elasticity of wages, and the relatively low barrier to entry (compared to both the guild system that preceded industrialization and the highly technical skillsets that are required in today’s digital workplace). While there were often labor shortages when new factories or industries popped up, the pace of industrial development, the availability of investment capital, and the speed of communications served as natural governing factors.

Still, labor shortages could at times doom businesses or at least temporarily suppress profits. In short, the demand signal was sent, and the response was the arrival of men and women ready to work. Training shifted from years of apprenticeship to mere weeks of classroom or vestibule training, but the key factor was the availability of any person ready and willing to work.

Fast-forward three hundred years, and many of the jobs we need to fill are highly specialized, requiring years of school and what amounts to years of apprenticeship. The demand signal has again been sent, and governments and universities recognize the severe shortages of highly-skilled workers, not just cybersecurity professionals. However, the pace of development in the digital age, the availability of abundant investment capital, and the instantaneous speed of communications serve as accelerators, not governors.

Enough Admiring the Problem. What Are We Going to Do About It?

First, CISOs must recognize that they are always recruiting. Even if there is no unfilled headcount today, the people you meet, the connections you forge, and the network you build will be necessary to create and maintain a pool of talented people for your organization. And while there is a minimum bar for the skills your team will need to be successful, you can only hire for so many of those skills. The cost (in hard cost and opportunity loss) of competing for and hiring fully formed senior security engineers for all positions has already become prohibitive.

Hiring the right team will be a mix of seasoned individuals from outside of the organization along with individuals you nurture. You will use your network, internal and external to your organization, to help you identify and attract both.

You could easily create a laundry list of security domains along with areas of specific process expertise from reviewing the requirements and controls listed in the eight CISSP domains, the 18 security control families from the NIST 800-53 standard, and the 12 PCI-DSS requirements. Add in various processes that have information technology and information security overlap, such as vulnerability management, change management, and mobile device management, along with security-focused activities, services and products such as threat intelligence, forensic analysis, penetration testing, intrusion detection and prevention, and the whole discipline of governance, risk and compliance, and you have a massive set of competencies from which to select job requirements.

It’s tempting to reduce this problem to simple analogies such as building a professional sports team. Drafting from the college ranks to fill skill gaps is like hiring workers early in their careers. Using free-agency can fill more senior positions. The minor leagues provide internships. And a deep bench can stand in for succession planning. These analogies can help explain the situation in simple, familiar terms, but they can also seem repetitious and shallow, and the consequences of failure are very different.

When we trivialize talent development by comparing it with building a sports team, we risk treating all professionals the same as members of sports teams – short-term combinations of skills designed to win a trophy. Failing to win a trophy is disappointing to the team and the host city, but teams can be overhauled in a matter of a few years and a trophy in 5 or 10 years, though not ideal, will still be celebrated.

The skills needed to be successful in the modern white-collar workplace (both hard and soft) are not so readily observed, as they are showcased outside of the arena of public spectacle. Employees are afforded many labor protections that professional athletes do not enjoy. And, the consequence of the team’s performance is greater than the disappointment in the execution of a billionaire’s hobby. And thus, the analogy breaks down.

The few elements of this analogy I do think can add value to our thinking are the youth leagues and skills development programs that exist across all of the major team sports. These programs are available for baseball, football, basketball, hockey, soccer, volleyball, gymnastics and even sports that are more focused on individuals, such as tennis, swimming, ice skating, skiing and golf. In fact, I can’t think of any sports that don’t have youth leagues and skills development programs, and many include community outreach, traveling ambassadors, senior leagues, and representation in K-12 physical education programs.

While not the only cause for this deep infiltration of sport at every level of our society, one major reason for this is President Kennedy’s revitalization of the President’s Council on Physical Fitness and Sports. Physical fitness was seen as a critical need for all Americans to maintain a healthy lifestyle, both for their health and the cost to the nation that would most certainly result from the poor health of the population.

I do not mean to trivialize healthcare or the impact of poor health to our lives, but I do think that building a nation that is “cyber healthy” will be crucial to our citizens’ financial health and our nation’s public safety. I believe that existing programs that invest in STEM (and STEAM) education, hackathons, and other curriculum-based and after-school activities for the K-12 education system are vital to both teach skills and familiarize students and their parents, with cyber hygiene, cyber defense and where the skill and interest surfaces, cyber offense.

Investing for the Long Term

There is widespread recognition that building the skills and competencies needed to improve the overall cybersecurity of critical infrastructure requires national and coordinated attention. NIST’s National Initiative for Cybersecurity Education (NICE) is focused directly on addressing this challenge.  Special Publication 800-181 outlines the initiative.

NICE offers prescriptive detail regarding seven core security functions, and 33 specialty areas of cybersecurity work. It defines 52 cybersecurity roles while providing the requisite knowledge, skills, abilities, and tasks for each role. NICE thereby helps organizations understand the types of skills and competencies that will be required to support a security program comprehensively.

In the graphics below, the seven core security functions are described, and a sample drill-down is provided. Within each core functional area, NICE provides insights and recommendations on necessary training to adequately address the function. NICE therefore provides the foundation for your cybersecurity staffing program.

Both graphics are courtesy of the National Initiative for Cybersecurity Careers and Studies.

Figure 10.1 The NICE Cybersecurity Workforce Framework

Figure 10.2 Detailed Description of Analyst Position

With the NICE skills framework, educational organizations across the nation, including K-12 schools, trade schools, community colleges, technical institutes, and universities can design programs to provide the critical training our workforce needs.

Helping the cyber workforce become productive is another gap that we must fill. The traditional model of graduating four-year degreed individuals from colleges and universities will not, by itself, overcome the worker deficit we face. On-the-job experience, in the form of internships and apprentice programs, is another vital source of learning that is necessary to allow newly trained workers to put their skills to use quickly.

Internships are excellent supplements for the typical four-year program that help the student step out of the classroom and spend critical time in the field at a variety of organizations, seeing real-world events unfold in real time. Apprenticeship programs allow a broader set of experiences that can help trainees use additional avenues to gain the skills they need. These include students who are not following the four-year degree path, workers reentering the workforce, military personnel who are transitioning into the commercial workforce, and unlocking other sources of specialists that are currently under-utilized. A critical insight is that just as the total number of seats in four-year degree programs is not adequate to provide all the cybersecurity workers we will need, and the traditional four-year program is simply not required for many of the entry-level positions that currently go unfilled.

One final recommendation about some of these novel approaches to training the cyber workforce of tomorrow is to look to cyber ranges as an option worth exploring. Cyber ranges can help you train new workers on current methods and help keep your existing workforce up-to-date. Think of cyber ranges as simulators, but under live fire. In order to train our pilot workforce without crashing real planes, we built and deployed flight simulators. Cyber-ranges scenarios are real, but with coaches and highly-skilled experts available as backup.

Hiring Who You Need

Coming back now to your immediate hiring decisions. While it’s difficult to hire individuals with a mastery of the complete list of skills and experience across each of the relevant domains, senior security engineers and security architects should have a fundamental knowledge of all of them. How can you possibly determine whether the more senior people you are hiring have the right level of broad mastery? Some rely on certifications, but I challenge how effective that is. I see a lot of value in certifications; they set an effective minimum bar in many areas, they come with an ongoing requirement for continuing education that in theory keeps people in constant learning mode, and they provide a shorthand for assessing, in aggregate, the skill level of a department.

The latter is the most perilous, though. In any population of certificate holders, just given a normal bell curve of capability, there will be some people who barely met the proficiency requirements. It is not statistically impossible to have a larger than normal collection of people on the left side of the bell. Also, the minimum bar I spoke of is just that, a minimum. It gives a reasonable assurance of familiarity with general concepts, but unfortunately, there is not enough assurance that the familiarity comes along with experiential knowledge.

So, while certifications have their purpose, we can’t solely rely on them for determining the technical fit for new hires. What other tools do we have? A lot of time and energy have gone into interviewing techniques that will both root out the hard skills (have the candidate take a coding test or configure a firewall rule) and soft skills (subject the candidate to team interviews with each team member tasked with assessing certain key soft skills such as communication skills, problem solving, managing up, and team dynamics). There are several systems out there. One of the more popular ones is the “STAR” Technique: situation, task, action, result. It’s so popular that interview candidates also use it to prepare to talk to you.

None of this is ground-breaking, and chances are good your Human Resource department will have a favorite rating system that you can adapt to the hard and soft skills that you want to test for in your screening. But most of the last two paragraphs assumes that you have a pool of reasonable candidates to start from, and your job is to screen for a fit for your team. I do happen to agree that these techniques are valuable. However, I have always found the greater challenge to be finding the reasonable pool of candidates in the first place.

That is why I said that even if there is no unfilled headcount today, the people you meet, the connections you forge, and the network you build will be necessary to create and maintain a pool of talented people for your organization. You want to make sure you always know who you would try to recruit to your organization if you should have a position open. Every interaction you have in your local security community is a recruiting event. Every meeting, every talk, every conference, every happy hour.

I’m going to put the cart before the horse to share a brief thought. The single most important recruiting tool you have is your team. If team members are motivated, work as a team, win more often than they lose, celebrate their wins, pick each other up when they are down, and care about the company they work for, others will want to come work for you too. I know that doesn’t help a lot when you are building a new team, but there is some element of that statement that you can leverage in practically any situation. They will help make your team an attractive place to be before there is a position available.

It is also important to pay attention to social tools such as LinkedIn and Twitter as well as any blogs or security forums you participate in. Make sure your profiles are up to date and that they show a positive image of you and your role. The same should be true for the people on your team. Just as companies use social tools to vet candidates, we all use social tools to vet the companies and teams we want to join. When we see a limited profile, we might believe them to be insular and two-dimensional. That may not always be accurate but underestimate the subconscious signals we pull from social tools at your own peril.

Introduction

Educating your workforce about cybersecurity through an awareness program is a foundational requirement that all cybersecurity standards share. So why don’t we have a very well-educated workforce when it comes to cybersecurity? Perhaps too many organizations, when they recognize the need for a cybersecurity awareness program, treat it like a change management effort; roll it out just in time and then add it to the corporate training curriculum. We know that’s not effective.

Bill begins this chapter by recalling that there have been other large-scale societal changes that have required massive, sustained awareness programs. He outlines the commonalities between these programs and allows the reader to draw inferences that will help put their program into context and set it up for success.

Matt continues the discussion by showing how each member of the executive team must buy in and be part of the solution. Education and awareness are about people, and specifically, the role each of us plays and how that role is personal to every one of us and through us becomes personal for each organization.

Gary then shows us how important it is to measure what we do, and more importantly, to build a habit of learning from each breach and changing the training content so that it evolves as our threat environment evolves. Tying our metrics to our awareness program is a powerful concept and will help any team be more successful by focusing on continual improvement.

The authors would like to pose some important questions to think about as you read this chapter:

♦  What are the “lessons learned” from industry data breaches that can be used to reduce our organization’s risk exposure to these adverse events?

♦  How successful is training our staff in actually preventing breaches versus having the right software and hardware in place?

♦  Does our organization have a culture of cybersecurity awareness and do we have a program to educate our staff?

♦  What is our Incident Response Plan and how do we train staff, stakeholders and partners on how to use this plan?

The Critical Role of Security Awareness with Executive Management – Stamper

Doesn’t Every Executive Value Cyber?

Who doesn’t love the technical side of cybersecurity? With thousands of innovative cyber tools hitting the market each year, it would be easy to lull us all into believing that the security of our organizations is just a toolset or adjusted configuration setting away. Oh, that it was that simple.

Before becoming a CISO, I helped organizations comply with the requirements of the Sarbanes-Oxley Act (SOX). Our company would help management address the state of the organization’s internal controls over financial reporting (ICFR). I was responsible for assessing IT General Controls (ITGCs) in the context of financially material business applications. Our process began with a risk assessment of the organization’s financial statements to determine the materiality of business processes and capture control detail about the applications (think ERP, CRM, and other systems) that supported material business processes. With this context, we’d evaluate and assess the design and operational effectiveness of controls. Our goal was to determine what level of assurance or confidence the organization had that its financial statements were accurate, complete, and valid.

We had two types of customers. The first and rarest were those that were genuinely interested in establishing good governance practices and sound controls over their processes such that ultimately their financial reporting was free from material weaknesses or significant deficiencies. The more common group consisted of those executives that merely asked that we “make them compliant.” It was in this group that the quality of financial reporting was most suspect, and no matter how much we worked to implement, document, and ultimately transfer good governance practices to the organization, we knew that given the lack of “ownership” the governance practices would not stick. The simple reason: there was no accountability or commitment to good governance.

Embarrassingly, we would call executives from this second group “walking material weaknesses.” They put their organization’s standing with financial markets, regulators, and other critical constituencies at risk because they did not value governance. Or, as I’ll discuss below, no one explained the linkages between good governance and financial performance for their organization in a way that resonated with how they saw their role within the organization. It was like we were speaking the wrong language to this second group. It was not that they desired poor governance and ineffective controls. It was, more accurately, that no one showed this group of executives how good governance and internal control could facilitate and underpin their organizational strategy. The failure was on us…we did not communicate in a manner that was effective.

As CISOs, we see similar issues within our organizations. Some organizations take security awareness and security training very seriously and are committed to excellent security practices. Others only pay lip service to security training and education. The consequences for the latter include increased regulatory oversight and brand damage resulting from high-profile breaches. Awareness must start with executive management. It’s imperative that you help your colleagues in the C-suite understand the risks and consequences of security practices that are inadequate or incomplete. How you address this one function may have more bearing on your security program than any selected tool or security configuration. Similar to the challenges with SOX described above, leaders of organizations that do not currently value security the way we would hope may simply lack the context required to change their approach.

It’s About the People

Now back to the opening of this chapter. Cybersecurity, while reliant upon technology, is ultimately about people. Good security practices require engaged and informed stakeholders, be they the board of directors, executives, or frontline employees. One of the most critical components of the CISO role is to help drive this engagement. Behaviors that bypass the best technologies can happen without awareness, an understanding of the acceptable use of organizational assets, and the investment in the training of our teams. One need not look any further than how the best “preventive” technologies deployed are easily circumvented by well-crafted phishing emails that entice employees and executives to expose their organization’s network to bad actors. People count. It is obvious why cyber education and security awareness training are so necessary.

Introduction

Networks are noisy. From heartbeats to probing, from legitimate database extracts to covert data exfiltration, from sensor telemetry to malware infusions, there is an enormous amount of traffic on your network. Without a strategic and diligent approach, It is difficult to know how much of your traffic is appropriate. Long gone are the days when volume alone was the biggest hint that you were under attack.

Bill starts the discussion by reminding us just how much the network and the devices on the network have changed. In the last decade, we have seen not just an explosion in data volume, but a significant change in control as to how the network and the applications and devices on it are acquired, deployed and exploited for business utility. Bill also highlights the need to look at a wide range of activities to successfully monitor the organization’s infrastructure.

Matt reminds us that monitoring involves more than just checking the flashing lights for activity and sniffing packets. His advice for program monitoring shows us the broad range of health indicators that the CISO must be concerned with and how important it is to be integrated with the lines of business to know what matters to the entire organization.

Gary emphasizes the need for continued diligence through scanning, monitoring, and remediation before addressing the critical requirement for having a deep understanding of the health and security of your applications. To end this chapter, he brings the discussion back to one of our favorite topics: metrics.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  As a CISO, what frameworks, security controls, or processes would you recommend to continuously monitor your organization to prevent or mitigate a data breach?

♦  What framework and/or processes should a CISO use to remediate vulnerabilities and search for malware in their organization’s application portfolio?

♦  Your organization experiences numerous unauthorized attempts to breach its enterprise networks. What metrics are important to your enterprise cybersecurity program to enable it to see these attempts?

Monitoring the Enterprise and Your Cybersecurity Program – Hayslip

It’s 2:00 AM and the smartphone on a nightstand is chirping a lonely message for Alice Bentlee (fictitious). Alice is the Vice President, Cybersecurity and Risk Operations Director for a local bio-technical research facility and right now she is trying to brush the sleep from her eyes as she reaches for her phone. In the next fifteen minutes, she will become wide awake as she learns the news. The organization, which is her employer, has had a data breach and has activated the incident response plan. In the days to come as she triages the breach, she will use forensics to understand how it happened and what data was accessed.

The company will leverage its cyber insurance policy to help cover its costs as it initiates an internal investigation into Alice’s cybersecurity program, and as the CISO she will need to answer questions to prove her program was meeting the definition of “reasonable care.” Did she, as the senior security executive for the company, implement a cybersecurity program to the best of her ability that met industry best practices and as an organization met the standards of care for protecting the critical intellectual property data her company had stored within its enterprise networks

As a CISO, it is essential to understand the idea of “reasonable care” and why it is a minimum strategic standard for the business. This concept is based on several core principles:

1. The organization, or the CISO acting on its behalf, shall be considered to have complied with reasonable security practices and procedures if an industry standard framework was used to implement the procedures (i.e., NIST, ISO, COBIT, and CIS), and there is a current documented information security program. This program should have mature information security policies that contain managerial, technical, operational, and physical security control measures that are at a maturity levelcommensurate with the level of sensitive information being protected by the company.
2. In the event of legal action or a request from regulators stemming from a data breach, the organization, or the CISO acting on its behalf, may be required to demonstrate that security control measures were implemented, and they are documented in the organization’s information security policies.
3. The security procedures are certified or audited on a regular basis by an independent auditor. The audit of reasonable security practices and procedures must be current and therefore conducted within the last year.

I am sure by now you are wondering why this is so important. The reason is that, as we’ve previously discussed, cybersecurity is a continuous lifecycle and breaches are part of that lifecycle. To reduce the risk to our organizations, as CISOs we create and implement enterprise cybersecurity programs and deploy policies, procedures, security controls, and standards to reduce risk and protect our assets. However, even with a mature cybersecurity program, we will at times remediate security breaches and then be required to prove that we are meeting reasonable security standards.

Continuous Scanning, Monitoring, and Remediation

We’re now ready for our next discussion topics. One of the primary processes that your cybersecurity program will be responsible for is “continuous monitoring.” In many network/organizational environments, there may be extreme technology change as organizations try innovative solutions to compete in their specific business markets. This dynamic change environment makes providing enterprise risk management and cybersecurity as a service extremely challenging.

To bring balance to my security teams and be effective as a security leader, when operating in chaotic business environments where there is no stable risk baseline, I implement the concept of continuous scanning, monitoring, and remediation to provide an effective security practice for my business and our stakeholders. Understanding the answers to the questions for this chapter will enable you as a CISO to state that you are meeting the requirements of “reasonable care.”

Continuous monitoring provides a critical service to security operations teams through detection, response, and remediation. When such a program is aligned with the organization’s enterprise security program and implemented with appropriate security controls, it enables security organizations to detect security incidents, remediate security gaps, and analyze trends to reduce the company’s risk exposure. I believe it is essential to understand that continuous monitoring is a component of a lifecycle, a cybersecurity lifecycle.

I have written about this lifecycle and its five stages: inventory, assessment, scanning, remediation, and monitoring (Hayslip, Pulse, Articles by Gary Hayslip 2015). This graphic is a depiction of the final stage, continuous monitoring, and will be our guide in the discussions that follow.

Figure 12.1 Continuous Monitoring Mind Map

The first question that we will review will provide some insight into the components that make up continuous monitoring and why I believe it is an essential business process. Numerous strategic frameworks address continuous monitoring. I have implemented the National Institute of Science and Technology (NIST) guidelines, NIST SP800-137 (NIST 2011) at multiple organizations over the last several years. I consider it to be a best practice for a CISO standing up a security program.

I believe it is a critical business process for organizations to understand and maintain their situational awareness and oversee their enterprise risk management portfolio. While I used the NIST guidelines for continuous monitoring, the framework you select should be decided through input from your stakeholders, including legal staff and executive management, and depends on your technical requirements.

With that said, let’s review our first question: “As a CISO, what frameworks, security controls, or processes would you recommend to continuously monitor your organization to prevent or mitigate a data breach?”

To design and implement an effective continuous monitoring program, a CISO will need to take into account answers to the following questions:

♦  Purpose of the monitoring system – From the viewpoint of the organization, what are the overall business reasons to develop a monitoring system? Is it a compliance/regulation requirement? Are there technical requirements? As a CISO you must be able to answer the question of why resources need to be expended to develop this program.

♦  Requirements – Now that you understand why you need to implement it, what are the technical, security, legal, business, and compliancerequirements for the program’s creation, management, report structure, and data views?

♦  What needs to be monitored – This question is critical. It is imperative for the CISO to work with stakeholders and trusted partners to identify what systems, applications, and data to monitor.

♦  How will it be implemented – From a technology perspective, will this monitoring be on-premises, will it be in the cloud, or would it be better to use a hybrid approach? If deploying sensors or agents, determine if the deployment is a one-to-many configuration or a distributed site-to-site configuration. Once you have identified the data to pull, you can create the architecture to move the data to a location for analysis and storage.

♦  Data, data, and more data – You have identified what data you will monitor, and now you need to ask yourself, where will the data be stored? Do I have a data retention policy? Do I have a data governance program that specifies who is allowed to access it and why?

♦  Metrics and reports – Collecting information from the monitoring program should have a purpose. Do you have any metrics? Do you have specific reports based on the analyzed data? What is the story, and to which audience are you providing this data?

♦  911 – You understand your requirements, you have built a continuous monitoring program for the organization, you are collecting information, and now the question is who will use it to protect the organization?

As you can see from these questions, there is an extensive amount of information you need to collect before you begin architecting a monitoring program. I typically start with conducting an inventory of my security suite to identify all of my security assets such as firewalls, IPS sensors, honey pots/nets, endpoint platforms, and vulnerability scanners. I then proceed to document what logs I can collect from these platforms and meet with my peers in our data centers, desktop support, and network services teams to verify what assets they have and what logs I can collect from them. Once I have identified these assets and log types, I research and deploy a security information and event management (SIEM) platform that enables me to build dashboards to analyze the collected information. This allows me to make decisions about reducing risk and focus on how to best use my limited resources.

You will need to review several issues if you plan to use a SIEM platform as one of the core elements of your continuous monitoring program. The SIEM platform will provide your monitoring program with extensive capabilities for reviewing and analyzing collected data for actionable threat mitigation. However, you will need to verify some information before you start analyzing the collected data. Some of the issues I would recommend you check are:

♦  Deployment of Security Suite Assets – Review where you have your security assets deployed in your enterprise network. Assets such as intrusion prevention systems (IPS) or unified threat management (UTM) appliances become primary sources for data logs and it is critical to position them at locations in the network with the best visibility into data flows to ensure you are collecting optimum data. Whether it’s at the network edge, chokepoints between sites, or within enclaves that manage sensitivedata – review your network maps and the position of your security suite’s

♦  Log Filtering – Next, I would recommend that, depending on the data type you collect (for instance, if the data is from security components like firewalls or IPS systems), you incorporate filters or pre-defined rulesets to remove basic informational data so your analysts don’t get overwhelmed. There are configurations for many of your security components that will allow you to filter out informational data and only send alerts for data that meet specific criteria for review by one of your security personnel. The use of these filters and automation for specific analysis will help provide relevant data and meaningful metrics for review. As a result, security staff will be able to spend less time analyzing the data and more time remediating any issues they find.

♦  Log Management – You are collecting logs and sending them to a central repository for your SIEMto review, however, what events are you collecting? Some events that I have collected in the past (and by no means is this a complete list) are:

◊  Asset boot/shutdown

◊  System process initiation/termination

◊  Invalid Login attempts

◊  File Access/File Close

◊  Invalid File Access attempts

◊  Network activity

♦  Ports/Protocols

♦  Flagged application activity (Tor, Web Proxy, File Sharing)

◊  Resource Utilization information

♦  Log Retention/Access – It is critical that you understand your log retention requirements. If you must keep logs for several years due to federal regulations or industry compliance, you will need to factor storage and encryption of the data at rest as part of your program for managing this data. Another critical question you will need to address is who needs access to these logs, why do they need access, and what rights do they need to this data? You will need to incorporate an access control mechanism for this information, so you can demonstrate you’re a good steward of the data entrusted to your program. I have found that discussing this issue with my stakeholders will help identify who needs access and the business requirements for the information, so collaborate when setting your access control mechanisms. 

Introduction

In the first three chapters of Volume 2 we have been focused internally. In Chapter 13, we turn our focus to outside your organization. Threat intelligence, like situational awareness, is the discipline of becoming conscious of the environment in which you are operating with the intent of decreasing the potential impact of harms that are presented to you or your community. You’ll need to use a combination of data about the relevant threat actors and the vulnerabilities of your high-value assets along with your judgment about the combinations that pose the greatest risk to your organization.

Bill starts the discussion where we have traditionally associated protection from risk, with the law enforcement community. Every organization operates in the context of local, state and federal jurisdictions, some grounded in the physical world and many increasingly incorporating the digital realm. From there, Bill expands the scope to include the entire human network that all three authors have repeatedly highlighted.

Matt asks us to look inward again to establish the context in which threat intelligence is most effective. He guides us on an exploration of six keys to threat intelligence that teach us how to use that context to make better decisions about which threats are most real to us and build a program around that knowledge.

Gary gives a thorough analysis of the sources for threat intelligence and leaves us with an understanding of how these sources are structured, characterized, and effectively utilized. He concludes with an extensive review of Open Source Threat Intelligence and how you should incorporate that into your threat intelligence program.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What is threat intelligence, and what types of external threat intelligence sources should the CISO use to augment their cybersecurity suite?

♦  What are the business scenarios for incorporating threat intelligence services into an enterprise cybersecurity program?

♦  Which Open Source Threat Intelligence (OSINT) resources should a CISO consider for enhancing their threat vulnerability management program?

Situational Awareness – Bonney

What Is Threat Intelligence?

Before answering the questions that we have posed for threat intelligence, I’d like to define what threat intelligence is, or what it means to me. Some threat intelligence products and services might include phrases like “organized, analyzed and refined information” and reference “potential and current attacks” somehow targeted, generally or specifically, “at your organization or industry.” That’s certainly one aspect of a good threat intelligence program. That kind of information is consumed at a knowledge level, in other words, informing the people on your team about the current threats that they should focus on, how to recognize them, how to prepare for them, and how to defend against them.

Threat intelligence information can also refer to specific vulnerabilities and the techniques that might be used to exploit those weaknesses in a way that your people and your defensive systems can immediately use to prevent or mitigate specific threats. Threat intelligence can also refer to specifics about the adversaries (who is posing a threat) and the victims (who is the target). Good threat intelligence should be actionable; you need to know what the adversaries want to do, to what, and you need to know if that applies to your organization.

We have to assume that you know what assets you have that are susceptible to any threat. Much of what I’ve listed above is available through commercial and cooperative services. Depending on the scope and capabilities of your organization, you might consume one or more commercially available sources of threat intelligence.

There is a tendency to believe that once something like threat intelligence is packaged commercially, that “buying” your threat intelligence is the most comprehensive and practical approach. Let the experts collect the data from their millions of sensors and their honeypots, and let their analysts review that intelligence and monitor the dark web for you and tell you where you should focus your attention. It’s true that very few companies have the means to run a comprehensive threat intelligence program on their own, and even those that do still consume commercial feeds to support their efforts. But there is another aspect to threat intelligence that does involve work that you do on behalf of your organization. You now have an excellent opportunity to work with your human network, especially your external network of peers, subject matter experts, law enforcement, vendors, and partners.

With this context for threat intelligence, I want to ask an additional set of tactical questions:

1. What is our current working relationship with law enforcement?
2. What are our sources of international cyber threat intelligence?
3. What organizations are we sharing our cyber threat knowledge with, and what are we learning from them?
4. What is our working (information sharing) relationship with the most high-profile firms who have had breaches? Do we have information coming to us from them? What have we learned?
5. Do we track social mediasites and blogs referencing us for clues about our vulnerabilities?
6. When we hear of a breach in another organization, what do we do? When does that process start, and what is the routine reporting in the organization? What are the criteria that determine who to notify and when to notify the board of directors?
7. As we look at the data for intrusions, penetrations, or attempts to gain unauthorized access, what has been the primary category of threat actorswho seem to have made these efforts? How has that information influenced our defensive efforts?

Threat Intelligence Is More Than a Service

Let’s look at what these questions are getting at and how we, as CISOs, might go about responding. Starting with number 1, our relationship with law enforcement. We’ve all heard that law enforcement wants to have a relationship with us. They would like organizations to tell them when suspicious events occur and identify potential bad actors for them. Then, they will share information with industry about threats they become aware of through various means. Each party would be able to use this information without additional jeopardy.

Just a few years ago, this statement met with a fair amount of skepticism. However, through organizations such as InfraGard, which is an FBI public-private partnership program, and concerted efforts by law enforcement and various supportive industry groups, cooperation and trust has been building. While it still varies by region and community, there has been significant progress.

If your organization has a relationship with local law enforcement through its physical security organization, partnering with that group and leveraging that connection is a great place to start. Usually, this involves at least local law enforcement, such as city police departments, county sheriff’s departments, and state troopers across the United States. If your organization does not currently maintain any federal relationships, you should consider connecting with the FBI (through regional associations such as InfraGard) and the Department of Homeland Security (DHS).

The DHS was created in the aftermath of the events of September 11, 2001, to manage and coordinate the activities between several existing agencies. The combined organization addresses land and marine borders and immigration, with the U.S. Customs and Border Protection (CBP), the U.S. Immigration and Customs Enforcement (ICE), and the U.S. Coast Guard (USCG). It also addresses accidents and several types of threats, with the Federal Emergency Management Agency (FEMA), the Transportation Security Administration (TSA), the U.S. Secret Service (USSS), and the Office of Intelligence and Analysis (OIA).

In addition to the FBI’s InfraGard program, there are many cooperatives and public-private partnerships. Among them are the ISACs (Information Sharing and Analysis Centers), which exist for all of the elements of the U.S. critical infrastructure. The graphic below (courtesy of the National Fusion Center Association – NFCA) depicts the 16 components of the U.S. critical infrastructure. The U. S. DHS declared a 17th component, the U. S. Electoral System, a part of the nation’s critical infrastructure in January 2017.

Figure 13.1 The 16 Original Industries in the U.S. Critical Infrastructure

In addition to the NFCA, the ISACs, and your local law enforcement, there are the 76 regional “Law Enforcement Coordination Centers” (LECC). Reach out and connect with these groups and then leverage these groups to find local industry associations if you are new to the region or just don’t know who to ask.

Regarding question 2, not every organization will need sources of international threat intelligence, but if your team has a global footprint, there are significant considerations. First, some cyber-criminal gangs are very regional, and intelligence is limited outside their region. Second, if you do not have a substantial presence in international markets, your international field offices might be especially vulnerable to local cyber-criminal activity if you aren’t able to keep the cyber education level high among your global workforce. To address this, ensure that any vendors you use for threat intelligence have sufficient coverage in the markets where you are present.

Introduction

In the next four chapters, we’re going to do a deep dive into the entire process of preparing for, responding to, recovering from, and learning from cyber incidents. A passage Bill writes in Chapter 17 is worth previewing here: While it’s helpful to break the entire incident response discipline into a series of discrete phases so that each can be described individually to assist with training and the command and control of response activities, it is rarely clear-cut when one process ends, and the next begins. There is often significant overlap, and as new information emerges, it is usually necessary to revisit a phase previously thought completed. For instance, while in recovery, monitoring activity may detect the presence of indicators of compromise identified for the current cyber incident and that may send you all the way back to the containment phase.

At times, the material we present over the 12 essays that make up these next four chapters, that overlap will become apparent not just within the activities of responding to the specific event, but over the entire set of disciplines we cover.

In Chapter 14 we look at the close relationship between business continuity planning and your strategy for becoming a cyber-resilient organization. Each of the three authors ties these two critical business processes together and emphasizes the importance of understanding what is fundamental to the business.

Bill discusses backup and recovery planning. He challenges the reader to factor into their backup planning the traditional elements of business continuity planning while considering vital new dimensions. These new dimensions include accommodating new service delivery models such as cloud computing and new attack methods such as ransomware in our models.

Matt emphasizes the importance of executive and board-level engagement. From understanding the organization’s core priorities and tying those to the appetite for risk to making sure the board understands how the BCP / DR strategy seeks to manage and mitigate that risk, Matt shows how ultimately it is about business strategy. A key way that the CISO drives this engagement is by making sure that the security program and security architecture should be reflective of organizational priorities as captured in BCP tools such as the BIA. Ensuring that the organization is a going concern is the ultimate responsibility of the board.

Gary reminds us of the impact that cyber incidents can have, including outcomes like disruptions to business continuity and reputation damage. Significant events can translate to disappointed customers, lost jobs, and hard monetary costs that can leave an organization reeling. He then helps the reader construct a plan by building on many of the lessons from previous chapters and showing how the pieces fit together.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What is a Business Continuity Plan (BCP) and what are the steps to create one?

♦  What critical components should a Disaster Recovery Plan (DRP) include to be effective?

♦  What value does the CISO’s security program receive from the organization’s Business Continuity Plan and its associated Disaster Recovery Plan?

Cybersecurity’s Debt to the Business Continuity Community – Stamper

Let’s face it – cybersecurity is exciting. Our profession is in the crosshairs of the media, with reports related to high-profile attacks frequently covered on the nightly news. We even have popular TV shows. For new entrants to our profession, this focus on cybersecurity may seem to be the norm. For those of us who have been in the industry more years than we’d like to admit, we recognize that the current focus on cybersecurity is a relatively new phenomenon. It may come as a shock to some that there was a time when cybersecurity (and before that, information security) was the forgotten stepchild of IT, overlooked from a resource and budget perspective. Security was the department – let’s be honest about this, the individual – that would get the table scraps from the IT budget once leadership addressed all other “priorities.”

I bring up this historical perspective to acknowledge our profession’s debt of gratitude to our colleagues in the business continuity and disaster recovery (BC/DR) community. Historically, our two disciplines shared similar common neglect. Like security, everyone knows and recognizes that business continuity and disaster recovery are important elements to an organization’s overall resilience.

Despite this recognition of the importance of BC/DR, most organizations only pay lip service to this critical discipline with incomplete and untested BC/DR plans. Furthermore, our colleagues in BC/DR frequently have their budgets and projects undermined by higher priority efforts within the organization. The result is that organizations are less resilient and subject to significant interruptions to their operations. Kind of sounds like the risk factors associated with inadequate and poorly-resourced security programs.

While the current focus on cybersecurity is beneficial, we should not overlook the contributions from our colleagues in BC/DR, especially in the context of resiliency. Our respective professions both focus on resiliency. Resiliency is at the heart of cybersecurity. No organization is immune from being attacked. In fact, our organizations are subject to ongoing and in many cases highly persistent attacks. Our jobs are to ensure that our organizations remain resilient when confronted with risks, be they cyber or natural disasters.

We can learn and have learned much from our colleagues in BC/DR. First and foremost, let’s not overlook one of the great tools that our BC/DR friends leverage to evaluate their continuity programs – the business impact analysis (BIA). BIAs are powerful tools that should be leveraged to improve our security programs. They convey detail related to organizational priorities, expressed in terms such as maximum allowable downtime (MAD), recovery-point objective (RPO), and recovery-time objective (RTO). Further, well-crafted BIAs highlight key dependencies on applications, staff, infrastructure, and vendors.

Collectively, the detail resulting from the review of a BIA provides essential context related to the organization’s risk landscape. We don’t have cybersecurity for cybersecurity’s sake. Cybersecurity must be focused on the business and not just cool and innovative technology. Ultimately, a business consists of distinct processes and protecting these processes from cyber risk is our raison d’être.

The BC/DR community has also done an excellent job of looking at mitigating strategies to improve organizational resilience. Strategies related to fault tolerance of components, fail-over, and high-availability architectures including active/active and active/passive configurations have their roots in approaches designed to improve RPO and RTO. In the aggregate, our BC/DR colleagues have produced a body of work that can inform how we look at our cyber programs with the ultimate goal of improving the operational resiliency of organizations.

Let’s take a look at how cybersecurity can improve resiliency. I’d like to recommend we spend a bit of time on the following:

♦  Defining, documenting, and mitigating risk

♦  Tying risk to the organization’s core priorities and organizational objectives

♦  Keeping executive management and the board of directors appropriately informed

 These three practices will help us to position our cybersecurity program in a manner that improves the resilience of the organization.

Defining, Documenting, and Mitigating Risk

CISOs would be well served to bring risk management front and center in their security programs. We cannot protect every system equally. Not all business processes, applications, and infrastructure are created equal. Similarly, not all employees have the same value to the organization. This inequality may seem obvious, but our security programs frequently don’t reflect this reality. Too many security programs attempt to apply ubiquitous security to all systems, infrastructure, and employees.

The consequences of a blanket, cover-all approach to security are challenging. Unless the organization benefits from an ever-expanding budget and nearly unlimited resources, the reality of a protect-everything-equally security program is watered down security. Critical systems are under-resourced and under-secured while we effectively overprotect non-critical systems. The root cause of this disconnect is fundamentally a lack of alignment with organizational priorities. A discussion that is risk-focused is the most effective means to avoid this dynamic.

Key to a successful risk discussion is for the CISO to capture and understand the organization’s overall risk appetite concerning the impacts on the confidentiality, integrity, availability, privacy, and even the safety of material business processes. These impacts, however, need to be more formally aligned with enterprise risk management and specific risk considerations for the organization related to financial, reputational, operational, and other higher-level risk considerations.

When done correctly, a risk-focused discussion translates detailed technical risk into business terms which senior executives and the board can more readily consume and act upon. Executive management and the board are concerned about the impacts of an adversary on the organization, its reputation, and its finances, even if they are not well-versed on the tactics, techniques, and procedures (TTPs).

CISOs should continually ask themselves: “What is it that I don’t know that I should know about this business process or initiative that could impact the confidentiality, integrity, availability, privacy, and safety of the process?” This open-ended question keeps the focus on considerations that could materially impact the organization. Returning to our colleagues in BC/DR, the BIA can facilitate this line of questioning. What dependencies and risk factors – notably from a cyber perspective – could negatively influence those processes that are most critical to the organization? Knowing these factors will help align your security program and architecture to those processes that the organization values most – as noted in the MAD and RPO/RTO.

Another, more direct but less structured approach to understand risk appetite across the organization is to simply ask colleagues in various departments and lines of business to clarify their areas’ priorities and key functions (e.g., business processes). This insight will facilitate the alignment of your security program to the organization’s core focus, effectively, what the organization values most. For the good of their security programs, CISOs must excel at understanding this business context.

Introduction

There is a fine line between incident response and recovery and resuming operations. To some extent, that line is only academically useful. The authors have covered many of the discrete activities in resuming operations in Chapter 14. Nonetheless, there is some discipline that is helpful in the immediate aftermath, both to make sure the incident is really resolved, and to learn and improve for a better response to the next incident.

Bill highlights two discrete activities that can be thought of as specific to resuming operations. First, it is important to realize that outside of the family of ransomware attacks, a major objective of a modern attack is persistence. Verifying that the recovered asset is truly back to acceptable baseline takes planning and diligence. Second, as is the case while the incident is underway, communication during the recovery phase is also critical. All stakeholders, including customers, suppliers, law enforcement, and employees, need to know what is expected of them.

Matt takes the reader through a hypothetical situation that a healthcare provider, in this case a hospital, might face. He recognizes that for many people reading this book, you might not have been through an incident before and may not have inherited a mature program. He uses that hypothetical to challenge the reader to be capturing lessons while in the moment with an eye toward building the muscle memory that the organization will need to improve operational resilience.

Gary provides a series of planning guides to help the reader prepare for the inevitable and then walks the reader through the activities. The reader should find it helpful to see how the planning is put to use and benefit from the reminders about critical information to capture in the moment. As Gary has pointed out throughout his essays, the CISO can never stop learning. That learning discipline is what allows the CISO to continue to push their organization to improve.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What steps should an organization take to prepare for a data breach?

♦  During a data breach, what operations should the CISO be aware of and possibly manage as a member of the organization’s business continuity effort and leader of the incident response team?

♦  What steps should be followed to resume normal operations and resume data breach management efforts?

Getting Back to Business – Bonney

Now that the incident has been detected, contained, and eradicated, it’s time to recover and resume operations. It’s important to distinguish between recovering the business process and recovering the asset. Certainly, many business processes will be entirely dependent on the availability and integrity of a specific set of critical assets. But keeping the focus on the business process as your key recovery objective will allow you and your organization to make crisper decisions about when to use backups, alternative sites, or other options defined in your recovery plans.

As with other disciplines that we’ve discussed, some of the ground we’re going to cover in this chapter has traditionally been within the CIO’s purview. But as we’ve stated before, in today’s digital business world the most likely cause of downtime requiring recovery operations are cyber-related events, and that’s going to place the CISO front and center. It’s important that the CISO can take responsibility as needed and is working with the same recovery objectives as the CIO.

Planning and Preparation 

Here again, the planning you have done in preparation for recovery is critical. We have already established that incident response does not begin with the incident. It begins in the preparation phase when you are taking inventory of your business processes and systems and creating RTOs, RPOs, and the sequence of eventual recovery activities. Each business process should have a runbook, validated by the business process owner, that details how to recover the business process, including decision criteria for asset recovery versus switching to backup or alternative assets.

It is critically important that the business process owner is intimately involved in the creation of the recovery runbook and the execution of the recovery runbook. The business process owner will need to balance internal stakeholder and external customer expectations regarding service delivery and contractual obligations for uptime and service availability. They will do this by using the RPO and RTO referenced in Chapter 14 as guideposts for prioritizing recovery activities and deciding between restoring primary assets versus switching to backups.

Another key aspect of your preparation activities is making sure your executive team knows that you are constantly working on incidents. They need to understand that you are continually evaluating log files, investigating outages, and tweaking your monitoring tools. Your executive team should know how incident response works and that it is part of normal activity. You’ll want to present it as a routine activity and a continual process that addresses high-level investigations and specific incidents and outages. Reporting on some amount of the activity on a regular basis will help familiarize them with the work that will be required while recovering from high-profile events.

Having the executive team receive these periodic reports, act on them, and participate in communications and recovery activities will prepare them for the more challenging high-profile events, when you will need their support and when it’ll be vital for them to pitch in by working their human network.

The reason this is important is that when we are stressed we rely on habits; quick, easy-to-remember responses are best for stressful circumstances when we are under pressure. The reasons that airlines trust pilots with ever more complex aircraft flying more passengers over greater distances as they gain experience and the military drills continuously are to form habits that will take over in times of stress. For your executive team to react in a positive and supportive manner and not distract the team with knee-jerk reactions, they need to be part of the routine incident management process.

Recover and Resume 

The recovery steps include restoring the assets, validating the assets, determining when to place the assets back in service, monitoring the assets, and communicating the status, both at the business process and incident level. Restoring the assets will be the responsibility of the business teams and the IT team, but the CISO and the Information Security team also play critical roles. As you bring assets back online, InfoSec needs to assist with validation and monitoring.

However, before any of these activities can take place, it is essential that your organization’s process for determining the regulatory or contractual impact of the outage or disruption is executed to catalog and, if necessary, that you sequester all assets needed for forensics activities and follow-up analysis. This review can be required to assist with regulatory action (for instance, a record request for a high-profile breach or outage) or to help the organization with its defense against any litigation instigated by authorities, customers, or partners. It is more than a matter of convenience. In many cases, the regulatory obligations under which you operate or the contracts that specify the services you provide to key customers spell out the need to preserve records and evidence and the failure to do so can potentially subject the firm to additional legal jeopardy.

Here again, it is critical to work with your legal team to appropriately handle records and systems, make detailed notes of what, if any, compromise has taken place against sensitive records or systems, and ensure you can complete any subsequent analysis. At a minimum, copy all logs and all records involved in the incident, and preserve the state of any systems (do a snapshot of virtual machines, for instance) involved. Care must be taken to handle sensitive records according to the appropriate data handling policy, even (and especially) when systems are technically offline.

For example, a simple downtime event can turn into a breach notification event if recovery personnel inadvertently review restricted PHI records while reviewing for record integrity. Certain designated personnel are likely empowered to execute specific pre-approved record integrity validation routines. Make sure this is how the records are validated, so you don’t run afoul of data handling regulations. Remember that when offline, the application safeguards you or the vendor designed into the system may not be functioning. Without these controls, you may inadvertently expose records to inappropriate personnel. Make sure to account for this with your incident response and recovery runbook to avoid adding to your list of problems.