In response to a Level 1 incident, the manager of the resources involved is instructed to cease use of the resources until the bank’s incident response coordinator makes contact and provides further instruction.
Step No. 4: Dealing Effectively with Corporate ManagementPicking up the phone to call the C-level suite ranks as the most delicate part of a security team’s communications plan. Discernment is crucial in deciding when and how to inform the powers that be. Top executives need to be in the security loop,Guest Posting but the sky will fall on the security officer who issues one too many false alarms.
False alarm rate to business people has to be low for it to be taken seriously. If a security shop warns erroneously more than twice a year, people tend to ignore the next one. The experience and intuition of the security manager plays a major role along with knowing what is of interest to senior executives and what’s not. The University of Georgia’s triage team always assesses the scope and severity of an incident before contacting higher-ups M&T Bank ranks incident severity on a 1-to-4 scale, with Level 1 deemed the most critical. A Level 1 incident must involve at least one of the following: unauthorized disclosure, modification, destruction or deletion of sensitive information or data; disruption of business continuity and critical business processes or communication; an impact on the long-term public perception of the organization; or identity theft of an individual or group. In response to a Level 1 incident, the manager of the resources involved is instructed to cease use of the resources until the bank’s incident response coordinator makes contact and provides further instruction.
At New York Presbyterian Hospital, the priority of an incident rises as a particular segment of a network becomes sluggish, and then escalates up to the point where there is a complete disruption of service which has to be reported. At the health-care facility, any incident that could potentially affect patient care must be communicated upward as well. Incidents all get reported, but not at the level of individual viruses and not every day.
At Pitney Bowes, context counts. An attack involving one application may sound small, but if that application is a key enterprise system that impacts many people, it may become a need-to-know incident. Incidents judged not to rate the C-level executives’ immediate attention are periodically summarized and presented to them in a group.
Some security professionals provide an incident summary to a board-level committee of senior executives every six months. The summary includes the number of incidents by category, including unauthorized access, disclosure, usage, or destruction; loss or theft of information or equipment containing information; service disruptions; and copyright or trademark infringements. Incidents are further classified by impact and severity. To ensure reasonably smooth communication in a crisis, security groups need to open a channel of communication with management. Having an established foundation for dialogue is crucial to the security officer’s effectiveness even in the normal course of business, and more so in an emergency, security experts say. Security experts tout a close relationship with the top brass as critical for maintaining a healthy security budget and a corporate culture that values security. There is tremendous turnover among chief information security officers with some former security officers insisting they won’t take that assignment again. But some security officers have established solid executive-level ties.
But there are several reasons why C-level executives may ignore the chief information security officer, including lack of trust in the individual and a perception that security manages are “inhibitors or disablers.
“Regulatory compliance issues have pulled at least some senior executives into the information-technology security camp. Sarbanes-Oxley, which demands documented risk-management processes, has forged a much closer relationship between the chief financial officer and the security team today than before. When Chief Financial Officers familiarize themselves with their security group’s processes and systems and have invested considerably in technology to address risk issues related to information technology security, the close relationship tend to exist.
Security managers, for their part, have been working to build closer links not just to executive management, but to all levels of an organization. Good communications and partnerships within the business as the biggest boons to a successful security strategy. Having liaisons working with a company’s technology and software development team helps in maintaining contacts in key business units and subsidiaries. For example, a security group’s outreach could be as simple as bouncing ideas for new security policies or technologies off business-unit representatives. The group may also provide assistance in implementing a security system.
Collaboration between the application and security groups means that security controls are embedded in software from the beginning, as opposed to being retrofitted after development. The corporate legal department and public affairs shop are two other groups beyond the C-level that might be notified about incidents.
The corporate groups, in turn, will likely have advice for the security team. The University of Georgia maintains a security advisory council with representatives from the human-resources, legal, internal audit, and public affairs departments. The university’s Chief Information Officer also serves on the council, which offers guidance on security policies and standards, and acts in an advisory capacity during an incident.
Tone is important in building cooperation between security and other business units. Information technology security professionals must be good at getting people’s attention in a positive way. Further, they must develop positive ways to share information on security issues and explain to the application development team or the information-technology infrastructure team, for example, how those issues may affect them. Security has this negative connotation that surrounds it and corporate security groups at some companies have a “Big Brother” image. Some groups build consensus rather than dictate security directives because they want the business to see the security team not as a roadblock, but as a security-minded business partner.
The university environment, in particular, demands communication and consensus-building, because higher education is very slow to change. It’s extremely difficult to turn that ship around, if they don’t want to be turned around. Some security professional find it easier and more productive to foster and build relationships with students, faculty, and staff before trying to do so with department heads.
Because cybercriminals are becoming smarter and more sophisticated in their operations, they are real threats to your personal security and privacy. Your money, your computer, you