Critical Incident Management

CRITICAL INCIDENT MANAGEMENT
by Alan B. Sterneckert

- Lists the key points in the establishment of a risk management program
- Examines critical asset identification, threat/vulnerability/information
classification, disaster recovery planning, and restoration
- Details the steps needed to upgrade security policies and procedures
- Emphasizes the need for quick action to get security policies drafted,
vetted,
approved, and implemented
- Explores the importance of auditing a company's policies, procedures,
standards,
processes, and security plans
- Discusses the components of a critical incident response plan, including
critical
incident identification, investigation, reporting, and evidence collection
- Details the creation of an effective critical incident response team (CIRT)
- Analyzes successful ways to interface with law enforcement in response
to
economic espionage and the theft of intellectual property and/or trade secrets
- Provides insight into privacy issues and concerns within an organization

- - - - - - - -

“Most businesses are aware of the danger posed by malicious network intruders
and other
internal and external security threats. Unfortunately, in many cases the actions
they have
taken to secure people, information and infrastructure from outside attacks are
inefficient or
incomplete. Responding to security threats and incidents requires a competent
mixture of
risk management, security policies and procedures, security auditing, incident
response,
legal and law enforcement issues, and privacy.

“CRITICAL INCIDENT MANAGEMENT presents an expert overview of the elements
that
organizations need to address in order to prepare for and respond to network and
information security violations. Written in a concise, practical style that
emphasizes key
points, this guide focuses on the establishment of policies and actions that prevent
the loss
of critical information or damage to infrastructure.

“CTOs, CFOs, Chief Legal Officers, and senior IT managers can rely on this book
to develop
plans that thwart critical security incidents. And if such incidents do occur, these
executives
will have a reference to help put the people and procedures in place to contain the
damage
and get back to business.”

- - - - - - -

CONTENTS

Preface
Risk Management
Policies and Procedures
Auditing
Critical Incident Response and CIRT Development
Legal Matters
Privacy
Appendices:
A Ports listing for numbers 1-1023
B RFC 2136-Systems Security
C Tools for critical incident management

- - - - - - -

EXCERPT FROM THE PREFACE

“You are probably reading the preface to see if the rest of the hook merits your
attention, so I
am not going to disappoint you. This book presents those elements most
organizations need
to plan, prepare, and address critical incidents. Critical incident management
requires
forward thinking, shifting paradigms, and sometimes ruffling a few feathers. It
involves
deliberately refining business operations, not spouting business buzzwords while
talking
around the problem.

“Basically, your organization's systems can be defined in terms of its critical
assets, meaning
those assets required to continue profitably. Pursuing the organization's mission
while
safeguarding critical assets is the responsibility of every person connected with the
enterprise, from the CEO to the parking lot attendant.

“The most critical assets in any organization are its people. Valuable employees
are
challenging to find and difficult to retain but the dividends last longer than the
organization
itself. They are the company's owners, partners, executives, managers,
employees,
contractors, interns, and temps.

“Data is the business' information, processes, customer lists, employee
information,
contracts, trade secrets, proprietary information, and intellectual property. In the
structure of
critical assets, it is ranked second.

“Do not let the term physical facilities fool you into thinking only of heating and air
conditioning. Ranked third, they are a significant part of profitable operations.
Physical
facilities include office furniture, hardware, workstations, servers, cabling, software,
and
tangible and intangible items. All factors considered, for these system components
to
function together successfully requires a complex and well-coordinated dance.

“Many organizations spend vast amounts of their resources and capital dealing
with outside
system attackers; yet, the greatest financial harm originates from attacks inside
the
company. Although you have read of spectacular and well-publicized attacker
events, the
most costly, critical incidents originate from inside, e.g., avoidable lawsuits and
intellectual
property theft.

“Critical incident management is a balancing act involving an organization's risk
management program, policies and procedures, auditing, critical incident
response, legal
and law enforcement issues, and privacy. Sometimes you feel like the circus
performer who
balances the spinning plates while standing on her head. In fact, critical incident
management is a lot like playing baskethall: the more you sweat before the game,
the less
you sweat during the game.

“You are going to read about matters of planning, preparation, execution, and
learning from
mistakes. In my experience, most organizations have been reluctant to take
preparatory
steps toward addressing potential damage caused by harmful events. Due to
internal
political pressures or poorly conceived programs, organizations spend their
resources
protecting "junk." It is not a matter of "if"; it is only a matter of "when" harmful
events will
happen.

“This book is written from an Information Technology (IT) perspective, and the
reason is
simple. We are completely and inexorably dependent on IT for everything in our
lives. The
concepts detailed here are not academic or theoretical. My intention is to speak
plainly and
clearly.
This book will mention commercial, shareware, and freeware products. These are
not
recommendations; they are intended to serve merely as examples. There are new
and better
products announced daily, so look for products that might be directed toward your
specific
requirements.

“This is a practical book. In my experience, books requiring readers to remember
small and
seemingly insignificant paragraphs because important sections depend on them
later
confuse readers and cause them to become disinterested. I know I do. I have a
redundant
style of writing. I tell you what I am going to tell you, I tell you, and then I tell you
what it was I
told you (say that three times, quickly). This is not my invention; it was borrowed
from some
very good instructors I have had over the years.

“Experience Note When I was in the United States Air Force and subsequently at
the Federal
Bureau of Investigation, many times I sat in meetings where the person delivering
the
presentation seemed to be drowning in minutiae. After a moment, the ranking
person would
generally interrupt the speaker with a command to "get to the point." So that is the
style in
which I wrote this book; getting to the point and not wading through seas of trivia.

“Please note the book contains many bulleted lists, and exhibits in the form of
tables and
figures, constituting items to be incorporated into reports and other documents.
The text
intentionally emulates presentations in which the speaker knows the audience is
knowledgeable of relevant topics and is providing meaningful instruction. Do not get
confused when I constantly refer to employees. The term references anyone who
has any
type of regular access to an organization. Whether they are contractors, vendors,
consultants, part-timers, interns, temporary employees, or unpaid family members
(including
your brother-in-law), they all fall under my broad category of employees.

“My view of enterprise includes any type of business structure, profit, not-for-profit,
nonprofitable, barely profitable, and government agencies. The size and nature of
your
organization are not important for most of the chapters because tile concepts are
intended to
be adaptable.

“Notice the paragraphs labeled Experience Notes. These are small but interesting
paragraphs to lighten your reading.

“I make reference to senior managers. They are the "C" levels of executives: CTO,
CFO,
CIO, CISO, CSO, Chief Legal Officers, Chief Network Administrators, Chief
Auditors, and
Senior Managers. This book is directed primarily to you.

“I avoid giving specific names, dates, and places. It is not my intention to harm or
embarrass
people for something they may have clone or said.

“We live in a litigious world. Stockholders, employees, competitors, managers,
executives,
and government agencies are successfully suing organizations today.

“Litigation poses a serious risk, and wise managers are taking affirmative steps to
close or
at least minimize their exposures. One of the most viable defenses will be your
ability to
show due diligence in safeguarding your critical assets. This book provides steps
you can
implement to legally defend your actions.

“Experience Note I once had a professor that said, "anyone with $25 for a filing fee
and a
typewriter can file a lawsuit." He was right.

“I am going to make references to events taking place in the courts. Court
decisions can
negatively affect your organization and often can be avoided by demonstrating
some
professionalism and common sense. If you and your staff do not have legal
knowledge, seek
experts. You will be glad you did. Legal decisions can be anticipated and
effectively
addressed, but you have to consider them as manageable and not as merely
unavoidable.

“Overall, the philosophy of this book is one where "an ounce of prevention is worth
a pound of
cure." I do not like professional surprises. I would rather deal with backed-up data
than try to
recover it from a devastated hard drive. I believe organizations must have proactive
programs consisting of tested plans, developed and executed by trustworthy
people, instead
of chaotic alternatives. I am going to address these steps in each of the six
chapters.

“The book begins with the need for establishing a risk management program,
including
elements of critical asset identification, threats, vulnerabilities, information
classification,
disaster recovery, and restoration. It may seem like a daunting task, and it is, but
it is like
eating an elephant - it is done one bite at a time. Take special note of the risk
management
section on dealing with the press; most organizations fail when they deal with
press inquiries
during crises.

“The second chapter deals with policies and procedures. Recently, there has been
a surge
of literature published about these subjects. Much of it has merit and will go a long
way to
improve your business' performance. More than one organization has been saved
from the
fires of ruin because of having well-developed policies and procedures. When
reading about
policies and procedures, do not get mired in definitions. Take the steps to get
them drafted,
vetted, approved, and implemented. Get the auditors to see to their adherence.

“Auditing is the third chapter. Auditors must look at policies, procedures,
standards,
processes, and the way organizations safeguard their critical assets. Saving your
hard-earned assets is the name of the audit game.

“The fourth chapter deals with critical incident response. Identifying a critical
incident,
handling its investigation, reporting, and evidence collection will be covered. There
are two
overarching concepts in this chapter: do not perform evidence collections and
examinations
for which you do not have the expertise, and do not do anything that is going to
alter the
evidence. Here, I discuss the development of critical incident teams, including their
structure,
development, function, funding, and reporting requirements.

“Chapter 5 deals with the matter of law enforcement, what it can do, and how to
deal with it.
Computer-related crimes including economic espionage, theft of intellectual
property, and
trade secrets are described here.

“Completing the book is a chapter on privacy. Like it or not, it is the wave of the
future.
Depending on the activity, people are entitled to different levels of privacy; with that
in mind, I
am going to provide some insight into the reasonable expectations in this area.

“A little about me. Many years ago I spent some time dealing with secure
electronic
communications as part of my U.S. Air Force experience. At that time,
communication
networks were considered sophisticated, and they actually were if judged by the
standards of
their early years. I joined the Federal Bureau of Investigation, and for the next 24
years
enjoyed many experiences while assigned to Dallas, New York City, San Juan,
Puerto Rico,
and Salt Lake City. Regardless of some opinions, I found the support employees,
Special
Agents of the FBI, and police officers in the trenches of law enforcement dedicated
to
preserving our freedoms. God bless them.”

- - - - - - -

ABOUT THE AUTHOR

“ALAN B. STERNECKERT is the owner and general manager of Risk Management
Associates. A retired Special Agent, Federal Bureau of Investigation, Mr.
Sterneckert is a
professional specializing in critical incident and risk management, IT systems
security, and
systems auditing.

“During his 24-year tenure with the FBI, Mr. Sterneckert was responsible for many
significant
investigations into multi-national white collar crime and narcotics trafficking
organizations. He
was stationed in Dallas, New York, San Juan, and Salt Lake City.

“Before entering the FBI, he was a member of the U.S. Air Force, where he
specialized in
communications and information security.

“He graduated from Weber State University (B.A.) and Long Island University
(M.S.). He
holds the following professional certifications: Certified Information Systems
Auditor (CISA),
Certified Information Security Manager (CISM), Certified Information Systems
Security
Professional (CISSP), and Certified Fraud Examiner (CFE).

“When not consulting or writing, he can be found fishing for Arctic grayling and
cutthroat
trout.”

- - - - - - -
2003, 552 pages. Order #DR721.
- - - - - - -

The Disaster Center Bookstore

Info, Network Security, Info Protection

Disaster Center Bookstore-a service of Rothstein Associates