CASE: Create A Cybersecurity Incident Response Team Cybersecurity events can happen at any time. Notable historic security events show the shortening cycle of threats: the Melissa virus, which took several days to spread; the "Love Letter" worm, which became rampant in just a day; and the Nimda worm, which wreaked havoc in just hours. These incidents show that little time is needed to infect systems around the world, and a company must therefore have the capability to respond quickly to prevent major losses and interruptions in service. http://video.cnbc.com/gallery/?video=3000469792 "Every minute, we are seeing about half a million attack attempts that are happening in cyber space." -Derek Manky, Fortinet global security strategist For regulated businesses such as banking and health care, governments are enacting laws that require businesses to provide mechanisms for protecting consumer data and privacy. And those mechanisms can’t come quickly enough, according to security experts such as Mansky: Watch: http://video.cnbc.com/gallery/?video=3000469792 Because of rapid changes in security threats, even huge capital expenditures for hardware and software design for the security of your network will only help reduce, but not eliminate, the risks associated with a security event. A well-organized CSIRT is one of the components of an organization’s strategy, and it is a component that needs to be embedded and embraced at all levels of the organization. So what happens when the organization is breached? Every incident yields a cost for the organization. If caught early, the cost can be minimal. However, if an incident occurs and there is no clear plan and a good team to execute the plan, the costs associated with a breach can climb (for example, https://www.washingtonpost.com/news/onleadership/wp/2014/01/13/target-ceo-opens-up-about-databreach/?utm_term=.9ae38512b926) As we read earlier, a good cybersecurity plan does not attempt to catch EVERY intrusion, but instead strategically focuses on: “identifying and protecting the company’s strategically important cyber assets and figuring out in advance how to mitigate damage when attacks occur.” (https://hbr.org/2016/10/good-cybersecurity-doesnt-try-to-preventevery-attack) It is a simple fact that the number of computer and software vulnerabilities is growing and the sophistication of attacks is increasing. Organizations need to develop a comprehensive plan to secure sensitive information and ensure the survivability of their critical infrastructure. Case adapted from: https://www.cert.org/incident-management/publications/case-studies/afi-casestudy.cfm Case Background iFinance is one of the largest banks in the country with a national network of branches, products and services that span the entire financial range—from traditional consumer banking and investment services to insurance and corporate investment banking. iFinance was formed during the three decades ago through acquisitions of regional banks in the West and Midwest. Those banks had grown from the mergers of numerous smaller banks resulting in the acquisition or merger of dozens of banks. iFinance has billions in assets and operates 2,225 banking offices in 25 states, over 4000 ATMs, and provides online banking and mobile banking apps to both business and personal customers. The bank employs 25,000 tellers, staff, and management. A problem facing iFinance is that, due to these mergers and acquisitions, each of its business units has its own legacy networks and vision of how security measures would be implemented to protect its resources. As iFinance has acquired more companies and increased the number of service offerings, it has become more critical that a standard set of repeatable processes be put in place to deal with security incidents. iFinance's approach to security must be carefully coordinated across all business units to provide a coordinated, consistent, repeatable process. The top executives of iFinance recognize that, to be successful in the financial industry, they must have a clear understanding of its security risks and be able to identify solutions to eliminate or minimize any potential threats to the organization. To get started, this fall iFinance published and distributed its security architecture plan for infrastructure security on its internal website. This activity helped iFinance articulate a starting direction for its information security needs. Your Role You are a newly-hired Information Security Manager that started a few months ago. You have noticed that security incidents are occurring, and although these incidents are being addressed, they were being handled inconsistently across the iFinance organization. You recognize that a consistent incident response system needs to be implemented. Case adapted from: https://www.cert.org/incident-management/publications/case-studies/afi-casestudy.cfm Guidelines: Part 1: Submit your individual write up on the last day of the intersession (in the Inter-session Activities Assignment Area of the Bb course), prior to arriving in class. • • • Use a minimum of 3 scholarly references from peer-reviewed, academic journals (must be accessed through Ottawa’s online library), and include supporting materials and references from your web-based research of the selected organization. Your paper and all citations/references should be in APA format. The Purdue OWL website is an excellent resource for APA formatting and reference examples: https://owl.english.purdue.edu/owl/resource/560/05/ You should include the following sections in your paper: o o o o o o o o o o Mission and vision statement for the CSIRT Identify key stakeholders that the CSIRT will serve, and how you will Determine the scope and levels of service the CSIRT would provide Staffing Recommendations – identifying and procuring personnel, equipment, and infrastructure requirements for the CSIRT ▪ Identify and utilize existing information security technical staff and resources to support the CSIRT activities (when needed) ▪ Identify any needed external resources needed Develop what you believe are the top 5 key CSIRT policies and procedures (based on best practices and everything you have reviewed and learned in this course, and any additional resources needed) that should guide all other policies and processes, given iFinance’s industry, size, structure, etc. Define the CSIRT reporting structure, authority, and organizational model to ensure that the team has the access, funding, and a clear mandate Estimate the amount of additional funding needed to implement and maintain the CSIRT Communications plan to make security a priority for iFinance’s many employees in offices distributed throughout 25 states Establish a proposed timeline for implementing the CSIRT Conduct research to establish ROI ▪ Find examples of cybersecurity incidents in similar organizations ▪ To identify the total cost of an incident, consider the direct costs of manpower, equipment, and lost production time, and also other indirect costs, such as the potential cost of lost business and damage to the company's reputation and brand image. Case adapted from: https://www.cert.org/incident-management/publications/case-studies/afi-casestudy.cfm Part 1 - Case Study Write-up Rubric: 200 points total: 15 points -- 3 scholarly, peer-reviewed references 10 points – APA formatting throughout the paper 10 points – Mission & Vision Statement 10 points – Key Stakeholders 10 points – Scope of Services 10 points – Staffing Recommendations 10 points – CSIRT Organizational Structure/Reporting 50 points – Key Policies/Best Practices 15 points – Funding Request/Estimate 25 points – Communication Strategy 10 points – Proposed Timeline 25 points – ROI research/rationale Part 2 (This will occur during your Day 3 session) Armed with support from key stakeholders, knowledge of best practices currently being used in incident management, an understanding of the current and potential threats to iFinance, and a vision and plan for implementing a CSIRT, it is now time to make the business case to the Chief Technology Officer (CTO), Chief Operations Officer (COO), and the Chief Legal Counsel to finalize plans for funding and staffing an operational CSIRT. You should present a well-researched, compelling rationale that includes existing/pending government regulations, the costs of attacks (direct and indirect costs), and a proposed timeline, budget, and organizational structure for the CSIRT and how it fits into the organization. Your team will be given time to discuss each other’ write ups, and you can mash up the best aspects of your write ups into one team framework. Your team will then present your CSIRT proposal. Remember, communication and internal buy-in is key to your role as managers and executives on all projects. You are not merely presenting facts, you are “selling” your proposal in a persuasive presentation. Guidelines/Rubric 50 points • Your presentation should be 10 minutes in length, including a clear introduction and conclusion, which clear supporting arguments. • Be free from grammar and spelling errors, and avoid too much text per slide • Slides include compelling and professional graphics. • The presentation is persuasive, presenting a clear need for the CSIRT, a welldeveloped rationale for the team’s proposal as a solution to the need Case adapted from: https://www.cert.org/incident-management/publications/case-studies/afi-casestudy.cfm • Every member of the team should present in a balanced and well-coordinated presentation, and prepare for up to 10 minutes of Q&A by your classmates Case adapted from: https://www.cert.org/incident-management/publications/case-studies/afi-casestudy.cfm 
Purchase answer to see full attachment