Security Breaches and Incident Handling in Organization - Research Proposal Example

?Introduction Incident handling procedures are not similar as they vary on different business processes of the organization. Network dictionary defines incident handling as “Incident Handling is an action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security related events. It is comprised of a six-step process: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned”. Depending on the nature of business, processes can be associated with law enforcement agencies, government institutions, public information providers, information technology etc. in order to handle security incident within the organizations, teams are created that are called as incident response teams. As per network dictionary, “Incident response team refers to a group of people who are responsible for handling information security incidents when they occur”. Incident handling is an essential process as security incidents that are initiated in organizations, breach data servers containing confidential and mission critical data and disrupt business processes. The impact of these incidents provides severe losses in terms of organization reputation in the market, trust in customers and credibility. This proposal is constructed on the basis of a questionnaire and will highlight solutions for minimizing incident handling and security breaches in an organization. The effective incident management approach will minimize issues related to security breaches and other possible threats. The information provided in this proposal is handled with strict confidence. The objectives for this research proposal demonstrates: Research and studies conducted to improve incident management and security breaches Highlighting security management issues with the aid of questionnaires Literature Review In this decade, Security management has become far beyond advanced as compared to simple security techniques. (, SWBC - Thesis: Improving security incident management in multination IT service providers - Software Business Community) The factors that are increasing demands on security management are: Attacks on information systems have significantly increased Legal regulations in order to standardize audits and security functions Interest of management to gain control for the security of business functions along with cost These three factors need to be handled to provide better security. In order to tackle all three factors, Christian Fruhwirth, recommended an event based intrusion detection system in 2008. The system will support these three factors by (, SWBC - Thesis: Improving security incident management in multination IT service providers - Software Business Community): Advanced tools incorporated with IDS to detect intrusions and eliminate attacks Standardized frameworks to handle legal compliance Efficient security management application tools to handle the management. Moreover, an article was published related to compromise recovery and incident handling. The article highlighted mishaps from concerned security administrators for installing default programs from a compact disc. These stored programs on a compact disc facilitates hackers to breach security by storing porn contents, configuring an illegal server, initiating attacks on other information assets and breaching server on the network. In order to eliminate all these threats and vulnerabilities, reviewing and learning the functionality of threats is essential. This will certainly reduce the probability of security incident in organizations (Compromise Recovery and Incident Handling. 2003). One more research was conducted related to a Proposed Integrated Framework for Coordinating Computer Security Incident Response Team. Conventionally, computer security incident response teams (CSIRT) are responsive for viruses, hacking and unauthorized access of employees. The CSIRT is defined as “Computer security incident response team (CSIRT) is a term used by the CERT Coordination Center (CERT/ CC) to describe a service organization that responds to computer security incidents” (Computer Security Incident Response Team. 2007). The research transformed these teams in to efficient tools that will maintain efficiency of business operations, compliance along with new regulations and homeland security. Those organization possessing incident response teams follows a systematic approach and steps to recover the system efficiently from any security breach or incident. Moreover, the existence of teams, eliminates loss or information theft and service disruption. Furthermore, the information gained by detecting and resolving an incident, facilitates support teams to be more efficient for handling future incidents (, Central Washington University - Networks: Incident Handling).Likewise, these teams are called security incident response teams (SIRT). They are triggered when a security breach shows its existence within the network of an organization. However, these teams conduct investigation of suspect workstations and servers. For instance, if a server is responding slowly, or a workstation is broadcasting messages, are examined for any possible security incidents. After specifying the incident that is related to security, the incident recovery steps are performed accordingly to assure adequate information collection and documentation. There are cases where security incidents also involves the contribution of law enforcement agencies, concerned managers, board of directors of an organization and security professionals to resolve and recover from security incidents (, Incident Handling ). Incidents in the context of adverse events demonstrate a negative impact for organizations. Adverse events includes a system crash, flooding of network packets, unauthorized access of system privileges, viruses, malicious codes etc. incidents in the context of computer security are referred as a policy violation for computer security policies and standard security practices. Project Plan Milestone Description Date Research to demonstrate improved practices and methods related to incident management and security breaches The research that is conducted by questionnaires in order to integrate information related to the topic Literature View Includes studies, surveys and researches in order to improve incident handling and security breaches in an organization Legal Issues Laws that are abided with incident handling and security breaches in an organization Risk Management Managing different factors for securing the network environment of an organization Legal Issues The legal procedures are essential to be addresses. Organizations should maintain a record of all the incidents that took place in the past. There should be an incident response plan that will be supervised by the legal advisor for the regulation of the legal affair. This also includes availability of the systems, legal trial, and incident recovery team who will deal for the training purpose of the employees and incident response tests. For eliminating the incidents, some security measures needs to be operational. Security patch updates are essential on regular basis in order to protect the mission critical system of the organization. The servers providing services is mandatory to be protected at all times. Antivirus updates are required to be updated on daily basis, in order to update the systems for any upcoming threats. Monitoring is also required for Network and system security. For updating the antivirus and patches, training is required for the employees enabling them to protect their systems. To address legal and ethical issues, several stages are followed, including identification stage, containment stage, eradication stage, recovery stage and follow up stage. The incident identification stage includes alerts types. What kind of alerts are generated before the incident took place and to justify whether the source of the incident is ‘internal’ or ‘external.’ The prioritization is essential and is based on two factors. The present and prospect effect of the incident The impact and resources In the containment process, damages must be minimized and stopped. A strategy must be adopted for each incident type according to its impact in order to stop the damages. It should consider the probable damages and the requirement of evidence preservation, service availability and the time required for solving the incidents. This approach will be obliging if the attackers have used the organization’s system as a carrier to attack other networks, resulting in a possible legal action against them (Kruse et al.,2001). The evidences are recorded for legal matters in the future after a forensic report, the process of storing these evidences has to be accepted by the law. The organization should be well aware of the compliance and legal rights. Standards must be considered to preserve privacy, for instance Data protection act (1998). The threats from the network are eliminated in the eradication stage. It is possible by conducting forensic analysis and identifying the vulnerability that created the incident initially. In the recovery stage, the system should be normalized and all the services will be restored after removing any backdoors, Trojans, viruses and hacking tools. After the removal, security patches update the software. In the follow up stage, the mistakes and flaws due to which the incident happened in the first place need to be controlled and eliminated in future. The meeting should be called for brain storming the issues, and for improving the incident-handling plan. Recommendations from the meetings modify the policies, procedures and plans for managing the incident in a better way in future. In the end the modified policies are implemented after approval to keep the organization competitive for future threats (, UB Computer Security ). Risk Management Before conducting risk management, core factors are considered. The identification of information assets is vital. Information assets are defined as the entities that hold organization data. A good definition is available on ‘www.ibm.com’ which states it as, “information assets are specific to your business functions and business strategies, they may be contained within broad categories such as contractual and legislative compliance, those needing virus prevention, those critical to business recovery following security compromises, etc.” The information assets for an organization will be the technology assets, data asset, service asset and people asset. In a typical scenario of an organization’s network, the owners for server hardware will be the server administration group. The owners for the applications running on the servers will be the application support group and the owners for the data, which is stored on the server, will be system development group. Moreover, the risk management process involves the implementation of safeguards and controls that are constantly monitored. Risk Management process identify information assets and their vulnerabilities for ranking them as per the need for protection. Moreover, risk identification consisting of self-examination. Managers identify the critical information assets at this stage. The important assets may include people, data, network components, software components, and hardware components. Furthermore, Risk Classification & Prioritization includes the classification of the assets are allocated, in to useful groups with priorities depending on the business impact of each asset. The organization should answer these questions: Which information asset is the most critical to the success of the organization? Which information asset generates the most revenue? Which information asset generates the highest profitability? Which information asset is the most expensive to replace? Which information asset is the most expensive to protect? Which information asset’s loss or compromise would be the most embarrassing or cause the greatest liability? References , Incident Handling . Available: http://www.ucop.edu/irc/itsec/uc/incident_handling.html [5/2/2011, 2011]. , Central Washington University - Networks: Incident Handling . Available: http://www.cwu.edu/~networks/intrusion_detection1.html [5/2/2011, 2011]. Incident Response Team. 2007. Network Dictionary, , pp. 242-242. Incident Handling. 2007. Network Dictionary, , pp. 342-342. , SWBC - Thesis: Improving security incident management in multination IT service providers - Software Business Community . Available: http://www.swbcommunity.org/swbc/index.php/Thesis:_Improving_security_incident_management_in_multination_IT_service_providers [5/2/2011, 2011]. Compromise Recovery and Incident Handling. 2003. Data Security Management, 26(5), pp. 1-9. Computer Security Incident Response Team. 2007. Network Dictionary, , pp. 116-116. KRUSE,W.G and J.G. HEISER, (2001), Computer Forensics: Incident Response Essentials.Addison-Wesley , IBM - Security policy definition - Hong Kong . Available: http://www-935.ibm.com/services/hk/index.wss/offering/its/b1329378 [3/17/2011, 2011]. , UB Computer Security . Available: http://computersecurity.buffalo.edu/presentations-07/shinil-UB_InfoSec_Workshop_Incident_Handling_part1.pdf [5/4/2011, 2011]. Read More