Incident Response Management Case Study
Any organisation can suffer a cyber security incident or data breach. The damage, both short-term and long-term, can be very substantial and, for some organisations, even existential. Reputation damage and loss of customers are a normal consequence, on top of the costs of identifying and remediating the incident. Increasing financial penalties for data breaches can magnify the damage. Damages and losses often run into multi-millions.
Absence of appropriate skills and inadequate cyber-readiness can significantly increase the duration and cost of a cyber incident.
The Romano Security Consulting Security Incident Management consultancy service helps organisations develop the resilience to protect against, remediate and recover from a wide range of cyber incidents and data breaches.
Romano Security Consulting were contacted by Howden Ltd to assist in developing their incident management process and planning in the wake of several high profile cyber attacks of similar sized organisations.
Howden Ltd provides a large range of outsources services and solutions to the UK Government and Wider Public Sector from locations throughout the UK.
Due to the nature of business Howden operate in and the sensitivity of the information the organisation processes they have a number of contractual and legislative requirements for incident reporting such as GDPR, NIS Directive, the Scottish Cyber Resilience Strategy, NHS DSP and CareCERT.
Romano Security Consulting held an initial scoping meeting with Howden’s Directors and Information Security Manager to gain an insight into the business and establish their cyber incident management requirements.
Following the scoping meeting Romano Security Consulting drew up a project plan and prepared a statement of work taking into account of Howden’s requirements, resources and time frame.
The Romano Security Consulting Incident Management consultancy service is designed to help organisations develop a cyber incident management and response capability based on the best-practice cyber security incident response framework developed by CREST, with additional guidance from ISO/IEC 27035, the international standard for cyber incident response.
The incident management project began with a detailed overview of the organisation and a gap analysis to review the current security controls in place within the organisation and to assess the level of security maturity.
The next step was to formulate an incident response team made up of Stakeholders from across the organisations business entities, Technical Support and Senior Management teams.
A BIA (Business Impact Analysis) was conducted with stakeholders from across the business to identify and prioritise the criticality of the assets that needed to be protected and to help inform the incident scenarios that would be included in the incident response plan. The BIA helped engage and involve the stakeholders and enabled them to understand what impact an incident could have on their area of business.
A number of scenarios were developed around the existing threats, ransomware, denial of service, hacking, using the CREST seven phase lifecycle approach to incident response:
Phase 1 – Detect
Phase 2 – Report
Phase 3 – Investigation
Phase 4 – Triage
Phase 5 – Action
Phase 6 – Recovery plan
Phase 7 – Follow up
Each of the scenarios were then documented, tested and improvements made following the testing.
All of this information was then documented in an Incident Response Plan.
The plan included the following:
Overview of the organisation, scope, objectives and responsibilities
Overview of critical assets or summary results of the BIA, identification of the critical assets, asset owners, threats and MTD (Maximum Tolerable Downtime)
Incident Reporting Process – a documented incident reporting process and escalation paths
The Incident Response Process Steps – A step by step procedure covering the 7 phases of the incident response process
Incident Scenarios – Inclusion of detailed step by step pre prepared and tested incident scenarios covering the organisations most critical assets and the biggest threats to these assets including all of the steps required to recover the data, system or service from a particular scenario
Contacts, checklists and logs.
Training and awareness was also provided to the Incident response team and first responders, training was provided in the following areas:
Incident identification
Incident reporting
Incident classification
Incident scenario testing
Business continuity and technical disaster recovery planning and testing
A framework for continual improving and testing incident response plans was developed during the project based on the results of the gap analysis and the lessons learned throughout the project.
Romano Security Consulting are currently assisting Howden in developing their business continuity, disaster recovery plans and incident response scenarios.