WEBVTT 0:00:04.640000 --> 0:00:06.700000 Incident Response Policy. 0:00:06.700000 --> 0:00:08.300000 So welcome everyone. 0:00:08.300000 --> 0:00:13.460000 In this video, we're going to be taking a look at one of the first components 0:00:13.460000 --> 0:00:20.140000 involved in the preparation phase of incident response, more specifically 0:00:20.140000 --> 0:00:22.860000 time to, you know, processes. 0:00:22.860000 --> 0:00:27.000000 If you remember in the previous video, we sort of went through, or I sort 0:00:27.000000 --> 0:00:29.980000 of gave you a framework for looking at the preparation phase. 0:00:29.980000 --> 0:00:37.020000 And, you know, in that particular case, as is the case in this video, 0:00:37.020000 --> 0:00:42.060000 we were approaching it from the perspective of people, processes and technology. 0:00:42.060000 --> 0:00:48.280000 So, as I mentioned, we're taking a particular focus on the processes and 0:00:48.280000 --> 0:00:54.300000 one of the first aspects or elements of, you know, preparing or preparation 0:00:54.300000 --> 0:00:59.960000 in regards to processes is creating or coming up with an incident response. 0:00:59.960000 --> 0:01:02.080000 So, we're going to be taking a particular response policy, which is slightly 0:01:02.080000 --> 0:01:06.280000 different, or I should say, you know, significantly different in terms 0:01:06.280000 --> 0:01:11.180000 of its objectives in comparison to an incident response plan. 0:01:11.180000 --> 0:01:15.280000 But, you know, I don't want to get on, on to a tangent there. 0:01:15.280000 --> 0:01:18.640000 Let's get started, you know, by sort of setting the stage. 0:01:18.640000 --> 0:01:23.500000 So, in the context of the preparation phase of incident response, processes 0:01:23.500000 --> 0:01:28.940000 refer to the formalized, documented and repeatable procedures that guide 0:01:28.940000 --> 0:01:33.680000 how an organization will detect, respond to and recover from security 0:01:33.680000 --> 0:01:38.340000 incidents. These processes serve as the backbone of the incident response 0:01:38.340000 --> 0:01:43.060000 function or service, as it were, ensuring that response efforts are not 0:01:43.060000 --> 0:01:44.720000 improvised, right? 0:01:44.720000 --> 0:01:49.300000 But structured, coordinated and aligned with business goals and regulatory 0:01:49.300000 --> 0:01:54.840000 requirements. So, the final sentence there, or clause, as it were, sort 0:01:54.840000 --> 0:01:59.100000 of outlines what the objective of the incident response policy is. 0:01:59.100000 --> 0:02:02.880000 So, you know, structured, coordinated and aligned with business goals 0:02:02.880000 --> 0:02:04.880000 and regulatory requirements. 0:02:04.880000 --> 0:02:09.780000 So, let's actually, as I mentioned, it's one of the components of the, 0:02:09.780000 --> 0:02:14.620000 you know, of processes in the preparation phase. 0:02:14.620000 --> 0:02:18.460000 We, of course, then have the incident response plan, playbooks and runbooks, 0:02:18.460000 --> 0:02:22.860000 incident classification and severity models or frameworks, escalation 0:02:22.860000 --> 0:02:26.700000 and notification procedures, and then, you know, post incident review 0:02:26.700000 --> 0:02:30.560000 procedures. And then, of course, we have technology, but we'll cover that 0:02:30.560000 --> 0:02:33.440000 as we, you know, as in when we get to that. 0:02:33.440000 --> 0:02:43.600000 So, sort of summarizing my points in regards to the previous slides. 0:02:43.600000 --> 0:02:49.020000 In the preparation phase, processes are the documented structures that 0:02:49.020000 --> 0:02:52.780000 guide how people operate and our technology is used. 0:02:52.780000 --> 0:02:57.680000 They ensure that the organization isn't just capable of responding, but 0:02:57.680000 --> 0:03:03.180000 prepared to respond in a coordinated, repeatable and effective way. 0:03:03.180000 --> 0:03:06.120000 So, that brings us to the incident response policy. 0:03:06.120000 --> 0:03:08.640000 So, what is an incident response policy? 0:03:08.640000 --> 0:03:11.800000 An incident response policy is a foundational document. 0:03:11.800000 --> 0:03:16.960000 The keyword is foundational because, again, it serves as the foundation 0:03:16.960000 --> 0:03:22.720000 or the basis for the incident response program or the incident response 0:03:22.720000 --> 0:03:28.660000 capability. So, it essentially outlines an organization's strategy and 0:03:28.660000 --> 0:03:33.440000 procedures for detecting, responding to and recovering from cybersecurity 0:03:33.440000 --> 0:03:38.500000 incidents. To make it even simpler to understand, it serves as a blueprint 0:03:38.500000 --> 0:03:42.960000 for managing incidents effectively, ensuring that all stakeholders understand 0:03:42.960000 --> 0:03:45.380000 their roles and responsibilities. 0:03:45.380000 --> 0:03:49.140000 So, this is, you know, pretty much at the starting point, you know, in 0:03:49.140000 --> 0:03:54.860000 terms of formalizing your incident response, you know, your incident response 0:03:54.860000 --> 0:03:57.300000 capabilities or program within an organization. 0:03:57.300000 --> 0:04:02.060000 So, the next question or a question that, you know, might have sprung 0:04:02.060000 --> 0:04:05.700000 up in your mind is what exactly does it contain because those descriptions 0:04:05.700000 --> 0:04:10.700000 are a little bit too vague as to what this document should contain. 0:04:10.700000 --> 0:04:15.380000 Well, I've sort of generalized here the, you know, the various sections 0:04:15.380000 --> 0:04:19.840000 or the elements that need to be included in the policy and, you know, 0:04:19.840000 --> 0:04:25.280000 roughly speaking, although not, you know, not 100% accurate, the order 0:04:25.280000 --> 0:04:26.460000 in which they would appear. 0:04:26.460000 --> 0:04:31.680000 And I'll give you examples that will sort of back up, you know, this particular 0:04:31.680000 --> 0:04:35.760000 structure. So, firstly, you know, beginning of the document, you have 0:04:35.760000 --> 0:04:37.360000 the purpose and scope, right? 0:04:37.360000 --> 0:04:41.360000 So, this is where you define the objectives of the policy and the systems 0:04:41.360000 --> 0:04:45.180000 data and personnel it covers, which is very important, right? 0:04:45.180000 --> 0:04:49.420000 So, you essentially state, you know, what the objectives of the incident 0:04:49.420000 --> 0:04:53.440000 response program is or are. 0:04:53.440000 --> 0:04:57.920000 And then you essentially say, okay, these are the goals and this is what 0:04:57.920000 --> 0:05:03.060000 we're protecting or this is what, you know, where this, you know, the 0:05:03.060000 --> 0:05:08.500000 systems data and personnel that, you know, these, these objectives and 0:05:08.500000 --> 0:05:10.020000 compass as it were. 0:05:10.020000 --> 0:05:15.420000 Or, you know, the actual scope of your policy. 0:05:15.420000 --> 0:05:17.520000 You then have definitions, right? 0:05:17.520000 --> 0:05:19.080000 So, this is very important. 0:05:19.080000 --> 0:05:23.060000 A lot of policies don't include this, but I find that it is extremely 0:05:23.060000 --> 0:05:27.340000 important, especially in large organizations, not even in large. 0:05:27.340000 --> 0:05:32.540000 It's not limited to large organizations, but the reason definitions of 0:05:32.540000 --> 0:05:37.600000 terms are so important is so that everyone in the organization or the 0:05:37.600000 --> 0:05:42.360000 company is aligned with regards to, you know, what each word or each term 0:05:42.360000 --> 0:05:46.320000 means. You know, with 100% accuracy. 0:05:46.320000 --> 0:05:51.540000 So, this is where you clarify terminology, such as a security incident, 0:05:51.540000 --> 0:05:55.800000 a breach and a vulnerability to ensure a common understanding, but more 0:05:55.800000 --> 0:05:59.400000 importantly to, you know, dissolve. 0:05:59.400000 --> 0:06:05.360000 Or to remove any misunderstanding, you know, especially when terms or 0:06:05.360000 --> 0:06:11.100000 definitions are, you know, closely related or may overlap, you know, outlining 0:06:11.100000 --> 0:06:14.780000 definitions of terms used in the policy as well as, you know, ones that 0:06:14.780000 --> 0:06:15.980000 will be used in your. 0:06:15.980000 --> 0:06:20.260000 I. R. Plan or the program as a whole is very important. 0:06:20.260000 --> 0:06:23.400000 You then have a section dedicated to roles and responsibilities. 0:06:23.400000 --> 0:06:25.760000 This is equally as important. 0:06:25.760000 --> 0:06:31.560000 In fact, everything in the document is important, but, you know, it, it's 0:06:31.560000 --> 0:06:33.560000 quite obvious why this would be important. 0:06:33.560000 --> 0:06:37.600000 So, this is where you identify the incident response team members and 0:06:37.600000 --> 0:06:39.560000 their specific duties during an incident. 0:06:39.560000 --> 0:06:43.920000 And we've already covered the people aspect of the preparation phase. 0:06:43.920000 --> 0:06:46.620000 You know, we took a look at the various models, the R. 0:06:46.620000 --> 0:06:50.820000 R. T. models, their names, the roles and responsibilities, as well as 0:06:50.820000 --> 0:06:57.000000 the, you know, instant response team responsibility matrix where we took 0:06:57.000000 --> 0:06:59.640000 a look at a racey specifically. 0:06:59.640000 --> 0:07:02.220000 And so that would actually feature here. 0:07:02.220000 --> 0:07:06.240000 You would use something like a racey chart or a racey matrix to outline, 0:07:06.240000 --> 0:07:09.080000 you know, who does what, but it's, you know, it goes. 0:07:09.080000 --> 0:07:13.300000 It's a bit more detailed than that in that you start off by defining the 0:07:13.300000 --> 0:07:17.260000 roles. So again, this is something we took a look at previously. 0:07:17.260000 --> 0:07:21.320000 So you say there's an incident response manager or team lead. 0:07:21.320000 --> 0:07:23.640000 We then have the incident responder. 0:07:23.640000 --> 0:07:28.120000 We have a forensic analyst, a, you know, threat intelligence analyst, 0:07:28.120000 --> 0:07:28.940000 a threat hunter. 0:07:28.940000 --> 0:07:32.700000 You essentially define, you know, what makes up your team. 0:07:32.700000 --> 0:07:36.900000 And then you start, you then define the roles and responsibilities or 0:07:36.900000 --> 0:07:40.200000 that I should say the responsibilities using something like a racey chart 0:07:40.200000 --> 0:07:45.300000 or matrix. You then have incident classification again, very, very important. 0:07:45.300000 --> 0:07:49.640000 So this is where you establish criteria for categorizing incidents based 0:07:49.640000 --> 0:07:51.320000 on severity and impact. 0:07:51.320000 --> 0:07:55.640000 We took a look at this to a certain extent in the previous course where 0:07:55.640000 --> 0:07:59.060000 we were, you know, taking a look at security operations centers and, you 0:07:59.060000 --> 0:08:05.160000 know, what type of incident or I should say classification, they utilize 0:08:05.160000 --> 0:08:09.320000 as well as, you know, I think to a certain extent, we covered it for incident 0:08:09.320000 --> 0:08:12.260000 response, but we'll be covering it in this course as well. 0:08:12.260000 --> 0:08:15.820000 This is very important so that again, everyone is aligned with regards 0:08:15.820000 --> 0:08:23.780000 to, you know, the severity level of the classification of incidents based 0:08:23.780000 --> 0:08:25.500000 on their severity. 0:08:25.500000 --> 0:08:29.280000 So everyone should know, you know, as part of the IR team specifically, 0:08:29.280000 --> 0:08:35.480000 but even generally what type of severity is given or assigned to, let's 0:08:35.480000 --> 0:08:40.840000 say, a, a phishing email or something like that. 0:08:40.840000 --> 0:08:43.640000 So, you know, that needs to be clarified. 0:08:43.640000 --> 0:08:48.500000 And then you have your communication plan again, important, extremely 0:08:48.500000 --> 0:08:53.000000 important. So this is where you detail the internal and external communication 0:08:53.000000 --> 0:08:58.860000 protocols, including notification requirements to stay called as an authorities. 0:08:58.860000 --> 0:09:02.620000 So this is where you sort of define, you know, what the communication 0:09:02.620000 --> 0:09:09.420000 plans and protocols tools, you know, what they are, what the communication 0:09:09.420000 --> 0:09:12.100000 will look like in reality. 0:09:12.100000 --> 0:09:16.220000 And of course, this ties in very closely to roles and responsibilities 0:09:16.220000 --> 0:09:21.840000 and who should be informed, who should be consulted, so on and so forth. 0:09:21.840000 --> 0:09:23.880000 You then have training and awareness. 0:09:23.880000 --> 0:09:25.180000 No, this is not that important. 0:09:25.180000 --> 0:09:28.120000 And it's something that's most likely going to be added as the organization 0:09:28.120000 --> 0:09:34.540000 continues to mature or the incident response program continues to mature. 0:09:34.540000 --> 0:09:38.480000 So this is where you emphasize the importance of regular training and 0:09:38.480000 --> 0:09:42.200000 awareness programs to prepare staff for potential incidents. 0:09:42.200000 --> 0:09:47.180000 You know, typically when this is already defined, it sort of, you know, 0:09:47.180000 --> 0:09:55.160000 defines training as well as opportunities for upskilling or skills development 0:09:55.160000 --> 0:09:59.920000 and various ways to assess, you know, knowledge, skills and abilities 0:09:59.920000 --> 0:10:03.880000 of various members of the incident response team. 0:10:03.880000 --> 0:10:09.820000 And then finally, you know, like any formalized document within an organization, 0:10:09.820000 --> 0:10:13.480000 you're always going to have a document control section or a section dedicated 0:10:13.480000 --> 0:10:17.900000 to this, you know, would either be at the top of the document or at the 0:10:17.900000 --> 0:10:21.940000 bottom. It really depends on what organization you're working for or the, 0:10:21.940000 --> 0:10:23.740000 you know, the region you're based in. 0:10:23.740000 --> 0:10:28.480000 But this is where you essentially have a document revision table that 0:10:28.480000 --> 0:10:31.620000 outlines, you know, what version of the document this is, the one you're 0:10:31.620000 --> 0:10:37.280000 reading. And sort of a change log of all, you know, previous changes right 0:10:37.280000 --> 0:10:40.740000 to the initial draft or right, you know, from the initial draft. 0:10:40.740000 --> 0:10:44.800000 So this is where you specify the frequency and process for reviewing and 0:10:44.800000 --> 0:10:48.880000 updating the policy to adapt to evolving threats and organizational changes. 0:10:48.880000 --> 0:10:54.120000 So you say, every four months, every quarter or every, you know, mid year, 0:10:54.120000 --> 0:10:57.180000 we're going to, this is going to be reviewed and updated. 0:10:57.180000 --> 0:10:59.320000 The review is sort of mandatory. 0:10:59.320000 --> 0:11:03.360000 It doesn't matter or not really important whether changes are made, but 0:11:03.360000 --> 0:11:07.060000 constantly reviewing the policies very important. 0:11:07.060000 --> 0:11:12.480000 And this is where, you know, from the incident response process or life 0:11:12.480000 --> 0:11:16.380000 cycle, the lessons learned phase, which is usually the end feeds back 0:11:16.380000 --> 0:11:17.420000 into the policy. 0:11:17.420000 --> 0:11:21.860000 So if you learn something new and the improvements to be made after an 0:11:21.860000 --> 0:11:25.820000 incident, then that goes directly back into the policy when it's review 0:11:25.820000 --> 0:11:28.440000 time, right, and updates are made. 0:11:28.440000 --> 0:11:31.700000 And then you have a new version, right, but the key thing is you can see 0:11:31.700000 --> 0:11:37.880000 sort of the chain of changes right from the initial draft, especially 0:11:37.880000 --> 0:11:40.220000 if you have, you know, proper document management. 0:11:40.220000 --> 0:11:45.660000 In any case, that's what an incident response policy. 0:11:45.660000 --> 0:11:50.200000 That's what it would contain typically in terms of the sections and the 0:11:50.200000 --> 0:11:56.940000 structure. And I've provided or I have added a section to these to this 0:11:56.940000 --> 0:12:01.620000 slide deck that, you know, the end that contains various incident response 0:12:01.620000 --> 0:12:03.420000 policy templates. 0:12:03.420000 --> 0:12:06.460000 I should say these are more than just templates. 0:12:06.460000 --> 0:12:08.180000 They're also examples. 0:12:08.180000 --> 0:12:11.400000 And I've sort of provided you with a wide array of examples so that you 0:12:11.400000 --> 0:12:15.900000 can actually see what these similarities are in terms of, you know, based 0:12:15.900000 --> 0:12:20.320000 on the structure that I outlined here, what is common amongst them all. 0:12:20.320000 --> 0:12:25.040000 And where you, you know, you have examples of a, you know, very good or 0:12:25.040000 --> 0:12:29.100000 very detailed policy and where you have, you know, very basic ones. 0:12:29.100000 --> 0:12:33.540000 But key point here is that these, at least in the case of the first two, 0:12:33.540000 --> 0:12:37.860000 these are sort of boilerplate templates as it were that provide you with 0:12:37.860000 --> 0:12:41.400000 the sections when you sort of have to fill in the information. 0:12:41.400000 --> 0:12:47.340000 The last two, the Center for Internet Security CIS incident response policy 0:12:47.340000 --> 0:12:49.300000 template is very, very good. 0:12:49.300000 --> 0:12:51.460000 I personally use that as a basis. 0:12:51.460000 --> 0:12:57.680000 I also like the ICIMS incident response policy and procedures document, 0:12:57.680000 --> 0:12:59.040000 which is essentially a PDF. 0:12:59.040000 --> 0:13:01.020000 It's not really a template. 0:13:01.020000 --> 0:13:05.120000 But this one is, you know, pretty much represents, at least in my mind, 0:13:05.120000 --> 0:13:10.840000 a very good idea of what a completed incident response policy and procedures 0:13:10.840000 --> 0:13:21.300000 document would look like. 0:13:21.300000 --> 0:13:25.580000 Into my browser and will actually go through pretty much all of them. 0:13:25.580000 --> 0:13:30.640000 And I'll sort of highlight a couple of important aspects of some of them. 0:13:30.640000 --> 0:13:34.100000 But it's very important that, you know, you regardless of whether you 0:13:34.100000 --> 0:13:38.120000 already are, or you want to become an incident responder that you go through 0:13:38.120000 --> 0:13:42.040000 these documents so that, again, you're not caught and aware as it were. 0:13:42.040000 --> 0:13:45.600000 When you walk into an organization, you give them these policy documents, 0:13:45.600000 --> 0:13:50.200000 you should be able to understand, you know, where you should read or what 0:13:50.200000 --> 0:13:51.380000 you should read first. 0:13:51.380000 --> 0:13:55.020000 Typically, it's going to be the roles and responsibilities because when 0:13:55.020000 --> 0:13:58.760000 you, you know, join a company for the first time, they typically, again, 0:13:58.760000 --> 0:14:02.460000 if it's an established organization will give you a set of policies that 0:14:02.460000 --> 0:14:03.480000 you need to read through. 0:14:03.480000 --> 0:14:07.320000 And the ones relevant to your team or your process that you're serving 0:14:07.320000 --> 0:14:11.140000 like incident response will be very important. 0:14:11.140000 --> 0:14:14.760000 And if you know what to look out for, then, you know, you'll be good to 0:14:14.760000 --> 0:14:16.740000 go. In any case, I'm talking too much. 0:14:16.740000 --> 0:14:21.020000 So let me switch over into my browser and we'll go through them together. 0:14:21.020000 --> 0:14:27.260000 All right. So I'm currently on my, I'm currently in my browser and I've 0:14:27.260000 --> 0:14:30.640000 opened up the links that I added to the slides and we're starting off 0:14:30.640000 --> 0:14:35.640000 with the FR secure incident response policy template and you can download 0:14:35.640000 --> 0:14:41.480000 a free copy. And it's pretty much, you know, listed out, you know, in 0:14:41.480000 --> 0:14:44.460000 terms of the basic structure right over here on the web page itself. 0:14:44.460000 --> 0:14:47.520000 So you don't have to download the word document. 0:14:47.520000 --> 0:14:49.140000 These documents are safe. 0:14:49.140000 --> 0:14:52.160000 I can confirm as of recording this video. 0:14:52.160000 --> 0:14:54.720000 So I actually have them opened up here. 0:14:54.720000 --> 0:14:59.100000 So let me go ahead and see if I can find this. 0:14:59.100000 --> 0:15:03.900000 So in this particular case, this would be the one here. 0:15:03.900000 --> 0:15:08.220000 So this is the instant management policy template. 0:15:08.220000 --> 0:15:12.280000 Sorry, the incident response policy template. 0:15:12.280000 --> 0:15:14.700000 Let me just go into my downloads here. 0:15:14.700000 --> 0:15:20.080000 Let me close all of my sessions up and the one that I want to go through 0:15:20.080000 --> 0:15:21.840000 this. This is the first one here. 0:15:21.840000 --> 0:15:23.580000 That's the FR secure one. 0:15:23.580000 --> 0:15:28.620000 So I'm just going to open this up and let's take a look at it. 0:15:28.620000 --> 0:15:32.040000 And then let's see, you know, how this is sorted. 0:15:32.040000 --> 0:15:36.680000 And I'm primarily going to be focusing on the structure and, you know, 0:15:36.680000 --> 0:15:38.200000 the various sections included. 0:15:38.200000 --> 0:15:43.220000 So as I mentioned, you know, you can see that the document control section 0:15:43.220000 --> 0:15:46.960000 is at the top in this particular case where you have the version, the 0:15:46.960000 --> 0:15:48.640000 status. So is it a working draft? 0:15:48.640000 --> 0:15:50.580000 Has it gone through approval? 0:15:50.580000 --> 0:15:51.760000 Has it been approved? 0:15:51.760000 --> 0:15:52.960000 And is it adopted? 0:15:52.960000 --> 0:15:54.100000 Very, very important. 0:15:54.100000 --> 0:15:58.220000 Something I didn't include in the slides, but better for you to see, you 0:15:58.220000 --> 0:16:00.460000 know, in a real world example. 0:16:00.460000 --> 0:16:03.440000 So the document owner, that's also very important. 0:16:03.440000 --> 0:16:07.340000 You know, it specifies who's responsible for managing this document, the 0:16:07.340000 --> 0:16:08.820000 updates, revisions, etc. 0:16:08.820000 --> 0:16:11.820000 And then when it was last reviewed, as I mentioned in the slides. 0:16:11.820000 --> 0:16:16.280000 So incident management policy, so you can see you have the purpose or, 0:16:16.280000 --> 0:16:17.900000 you know, the objectives. 0:16:17.900000 --> 0:16:21.360000 This is, you know, that you can use these terms interchangeably, but this 0:16:21.360000 --> 0:16:22.800000 is what you typically see. 0:16:22.800000 --> 0:16:26.480000 So the purpose of the, you know, you have the company name placeholder. 0:16:26.480000 --> 0:16:29.540000 Incident management policy is to describe the requirements for dealing 0:16:29.540000 --> 0:16:31.760000 with information security incident. 0:16:31.760000 --> 0:16:34.060000 So you then have the audience. 0:16:34.060000 --> 0:16:35.740000 So the incident management policy. 0:16:35.740000 --> 0:16:39.560000 And again, the areas highlighted in gray are areas that you can change 0:16:39.560000 --> 0:16:40.900000 because this is a template. 0:16:40.900000 --> 0:16:44.500000 So the incident management policy applies to executive management and 0:16:44.500000 --> 0:16:48.220000 other individuals responsible for protecting company name information 0:16:48.220000 --> 0:16:50.940000 resources. Then you have the contents here. 0:16:50.940000 --> 0:16:53.080000 So this is where the policy begins. 0:16:53.080000 --> 0:16:57.260000 So the instant handling team or instant response team pretty much the 0:16:57.260000 --> 0:17:01.800000 same thing, but you need to define what this team is and what they're 0:17:01.800000 --> 0:17:02.760000 responsible for. 0:17:02.760000 --> 0:17:07.180000 So in this case, you can see an incident handling team IHD will be established. 0:17:07.180000 --> 0:17:12.300000 It will consist of legal experts, risk managers and other department managers 0:17:12.300000 --> 0:17:15.480000 that should be involved in decisions related to incident response. 0:17:15.480000 --> 0:17:23.180000 So very, very succinct, very clear, you know, what the team is who the 0:17:23.180000 --> 0:17:37.720000 team comprises of and more importantly what they'll be responsible for. 0:17:37.720000 --> 0:17:38.520000 That's the reason. 0:17:38.520000 --> 0:17:40.780000 Thebhakimal groups are who have products and various criteria with interpersonal 0:17:40.780000 --> 0:17:50.220000 application asnn, starting in traditional standard ones, but then and 0:17:50.220000 --> 0:17:56.700000 then removing legal contract to also McMahon Owas, not all the program. 0:17:56.700000 --> 0:17:57.120000 Really, I mean, different stakeholders. 0:17:57.120000 --> 0:18:06.100000 Now you have a practical diet, enthusias suite, but unfortunately they 0:18:06.100000 --> 0:18:06.960000 have part in terms of food, so these applications are pretty bad. 0:18:06.960000 --> 0:18:07.120000 All of them are methodical. 0:18:07.120000 --> 0:18:09.880000 In the response team, you can see an instant response commander will be 0:18:09.880000 --> 0:18:14.060000 appointed to oversee and direct the company's incident response activities. 0:18:14.060000 --> 0:18:17.200000 The incident response commander will assemble and oversee a cyber security 0:18:17.200000 --> 0:18:19.680000 incident response team C cert. 0:18:19.680000 --> 0:18:23.540000 The C cert will respond to identified cyber security incidents following 0:18:23.540000 --> 0:18:27.280000 the incident response plan, which we'll get into in the next video. 0:18:27.280000 --> 0:18:32.120000 The incident response commander or team lead manager, again, these role 0:18:32.120000 --> 0:18:36.120000 names are going to be different, but generally speaking responsible for 0:18:36.120000 --> 0:18:39.860000 the same thing. So the incident response commander or team lead is responsible 0:18:39.860000 --> 0:18:45.660000 for appropriately reporting incidents to the CIO or IHT. 0:18:45.660000 --> 0:18:50.700000 The incident handling team and the chief information officer or that's 0:18:50.700000 --> 0:18:52.240000 one thing that I don't like. 0:18:52.240000 --> 0:18:58.220000 That vagueness as to or it's generally speaking should be one. 0:18:58.220000 --> 0:19:01.660000 Again, I know this is just a template, but it's very good for you to go 0:19:01.660000 --> 0:19:05.620000 through these. And then you have the incident response plan, incident 0:19:05.620000 --> 0:19:09.320000 reporting, notification and communication, all of the sections that I 0:19:09.320000 --> 0:19:12.440000 outlined in the slides and then definitions. 0:19:12.440000 --> 0:19:16.920000 In this case, definitions is included last or, you know, pretty much as 0:19:16.920000 --> 0:19:20.840000 part of, you know, some sort of a glossary. 0:19:20.840000 --> 0:19:24.440000 And at the bottom, you have the version control. 0:19:24.440000 --> 0:19:29.240000 So you can see this, this version of the policy or this document is version 0:19:29.240000 --> 0:19:34.220000 1.0.0 is modified last September, 2020. 0:19:34.220000 --> 0:19:37.220000 Of course, you know, it needs to be a bit more specific than that. 0:19:37.220000 --> 0:19:41.560000 When it was approved, who it is approved by and the reason or comments, 0:19:41.560000 --> 0:19:45.760000 this would be document origination means this is the initial draft. 0:19:45.760000 --> 0:19:48.040000 In any case, that's one example. 0:19:48.040000 --> 0:19:55.780000 We then have the purple sec incident response policy template, which is 0:19:55.780000 --> 0:19:58.720000 another good one that I like as well. 0:19:58.720000 --> 0:20:03.880000 Although the structure again, in this particular case is done in accordance 0:20:03.880000 --> 0:20:06.460000 with what we have in the slides, generally speaking. 0:20:06.460000 --> 0:20:09.380000 So you have the purpose objectives as it were. 0:20:09.380000 --> 0:20:13.900000 So the document defines the policy and establishes the procedure for the 0:20:13.900000 --> 0:20:17.420000 identification remediation analysis and prevention of security incidents 0:20:17.420000 --> 0:20:21.760000 relating to compromise or breach of protected information and related 0:20:21.760000 --> 0:20:24.080000 systems at company name. 0:20:24.080000 --> 0:20:25.840000 You then have the scope. 0:20:25.840000 --> 0:20:28.900000 In this case, the scope is actually included. 0:20:28.900000 --> 0:20:32.640000 You know, we didn't see that in the previous example. 0:20:32.640000 --> 0:20:35.320000 And then the policy here, and then we have roles and responsibilities 0:20:35.320000 --> 0:20:38.060000 being laid out very, very clearly. 0:20:38.060000 --> 0:20:43.480000 And then you have procedures, which again, this is something you had seen 0:20:43.480000 --> 0:20:46.640000 very well defined policies. 0:20:46.640000 --> 0:20:50.860000 And it doesn't mean that you need to have these procedures laid out in 0:20:50.860000 --> 0:20:52.620000 the beginning or in the first draft. 0:20:52.620000 --> 0:20:56.520000 But again, we're just going through this so that you have an idea of what 0:20:56.520000 --> 0:20:58.760000 they look like or what these policies look like. 0:20:58.760000 --> 0:21:03.080000 And then we have the one that I personally like, which is the CIS incident 0:21:03.080000 --> 0:21:06.220000 response management policy template. 0:21:06.220000 --> 0:21:08.540000 Again, link is in the slides. 0:21:08.540000 --> 0:21:10.660000 This is the website right over here. 0:21:10.660000 --> 0:21:14.420000 And it's fairly recent published in 2023. 0:21:14.420000 --> 0:21:18.400000 So, you know, this one is sort of sorted the way I like it. 0:21:18.400000 --> 0:21:19.900000 Of course, you can disregard that. 0:21:19.900000 --> 0:21:23.080000 And then you have right over here the purpose. 0:21:23.080000 --> 0:21:25.340000 And then there's sort of a definition of terms. 0:21:25.340000 --> 0:21:29.960000 So you can see a distinction is made between the between what an event 0:21:29.960000 --> 0:21:31.120000 is and an incident. 0:21:31.120000 --> 0:21:34.980000 This is very, very important so that you're actually aware of, you know, 0:21:34.980000 --> 0:21:40.220000 how the company or what the company considers an event or an incident. 0:21:40.220000 --> 0:21:43.200000 And then you have the scope over here. 0:21:43.200000 --> 0:21:47.420000 And then the incident response plan life cycle has also been added here 0:21:47.420000 --> 0:21:48.920000 to aid in understanding. 0:21:48.920000 --> 0:21:52.080000 And then you have the incident response plan, which is sort of outlined 0:21:52.080000 --> 0:21:56.240000 here as well, which generally would be outlined in its own document. 0:21:56.240000 --> 0:21:58.940000 That's what you'd call the incident response plan, which is a little bit 0:21:58.940000 --> 0:22:05.740000 more detailed. And then right over here, this is the actual policy template. 0:22:05.740000 --> 0:22:08.380000 So you have the purpose responsibility, the policy. 0:22:08.380000 --> 0:22:13.700000 This is a proper example of what a policy in this case is, you know, plan, 0:22:13.700000 --> 0:22:19.080000 but. Of what, you know, specification of a policy looks like. 0:22:19.080000 --> 0:22:24.800000 So in this case, it's referring to what the plan, the incident response 0:22:24.800000 --> 0:22:26.560000 plan should contain. 0:22:26.560000 --> 0:22:30.800000 So I T must develop and maintain a written incident response plan. 0:22:30.800000 --> 0:22:33.760000 This process must be documented and approved, so on and so forth. 0:22:33.760000 --> 0:22:37.440000 So it's actually laying out the policies and procedures for developing 0:22:37.440000 --> 0:22:41.380000 the incident response plan, who is responsible for creating it, updating 0:22:41.380000 --> 0:22:46.380000 it, etc. And then, of course, yeah, that's pretty much it, then the revision 0:22:46.380000 --> 0:22:47.840000 history right over here. 0:22:47.840000 --> 0:22:54.040000 Now, the final example, which is the ICIMS, instant response policy and 0:22:54.040000 --> 0:22:56.040000 procedures. This is not a templates. 0:22:56.040000 --> 0:22:58.680000 It's an example and it's a PDF. 0:22:58.680000 --> 0:23:05.660000 And this one in my view is a very good example of what a fully fleshed 0:23:05.660000 --> 0:23:12.100000 out policy instant response policy looks like. 0:23:12.100000 --> 0:23:14.360000 So let me see, why can't I zoom in? 0:23:14.360000 --> 0:23:20.200000 There we are. So you have terms and definitions clearly defined and let 0:23:20.200000 --> 0:23:21.900000 me just zoom out. 0:23:21.900000 --> 0:23:27.420000 There we go. And you can see pretty much all important terms are defined 0:23:27.420000 --> 0:23:30.820000 here. So data breach, what does a data breach mean? 0:23:30.820000 --> 0:23:33.940000 This is very important because again, if you're new, you may think a data 0:23:33.940000 --> 0:23:38.560000 breach is something else or is, let's say, you know, something that is 0:23:38.560000 --> 0:23:41.080000 less severe or critical, like maybe. 0:23:41.080000 --> 0:23:43.780000 A phishing email is that really a data breach? 0:23:43.780000 --> 0:23:45.360000 No, but that needs to be defined. 0:23:45.360000 --> 0:23:49.260000 So our security is in that directly impacts personal data, sensitive personal 0:23:49.260000 --> 0:23:52.360000 information or personally identifiable information. 0:23:52.360000 --> 0:23:58.140000 So in this case, you know, a phishing email that was successful, you know, 0:23:58.140000 --> 0:24:03.520000 that essentially led to employee revealing PII or sensitive information 0:24:03.520000 --> 0:24:06.540000 or anything of that sort would be considered a breach. 0:24:06.540000 --> 0:24:08.940000 Data controller escalation. 0:24:08.940000 --> 0:24:12.680000 In this case, the name of the team is the security instant response team, 0:24:12.680000 --> 0:24:14.700000 which we actually explained. 0:24:14.700000 --> 0:24:17.580000 And that is also defined here. 0:24:17.580000 --> 0:24:18.740000 You then have the scope. 0:24:18.740000 --> 0:24:22.240000 You can see this follows the structure very, very well. 0:24:22.240000 --> 0:24:27.120000 You know, as the one I laid out in the slides does as well. 0:24:27.120000 --> 0:24:33.660000 So the scope, the instant response policy here is defined in full. 0:24:33.660000 --> 0:24:35.280000 So there we are. 0:24:35.280000 --> 0:24:39.320000 And you can see the communication channels, etc, etc. 0:24:39.320000 --> 0:24:41.580000 And then you have the process document. 0:24:41.580000 --> 0:24:47.320000 So terms and definitions, scope overview in this case. 0:24:47.320000 --> 0:24:48.900000 Now it's, you know, properly defined. 0:24:48.900000 --> 0:24:55.280000 So what the process looks like for each of the phases, who is doing what, 0:24:55.280000 --> 0:24:56.200000 so on and so forth. 0:24:56.200000 --> 0:25:00.180000 And again, you can go through this, but that's pretty much all that I 0:25:00.180000 --> 0:25:01.580000 wanted to outline in this. 0:25:01.580000 --> 0:25:05.200000 So practical or demo section of this video. 0:25:05.200000 --> 0:25:09.780000 So highly recommend you go through all of the four examples as well as, 0:25:09.780000 --> 0:25:14.300000 you know, search, you know, find other ones online. 0:25:14.300000 --> 0:25:18.280000 And just get, you know, sort of understand, as I mentioned previously, 0:25:18.280000 --> 0:25:23.240000 the similarities between them all in terms of their structure and the, 0:25:23.240000 --> 0:25:28.080000 the foreigners. And, you know, after you've gone through maybe a couple, 0:25:28.080000 --> 0:25:34.560000 10, 20, 30, 40, 50, you'll be fairly well versed with, you know, policy 0:25:34.560000 --> 0:25:38.780000 documents and, you know, the same goes for instant response plans. 0:25:38.780000 --> 0:25:42.220000 So now going to switch back over into the slides. 0:25:42.220000 --> 0:25:46.360000 All right. So that was the instant response policy. 0:25:46.360000 --> 0:25:49.840000 And hopefully those examples were useful to you. 0:25:49.840000 --> 0:25:52.460000 And that brings us to the end of this video. 0:25:52.460000 --> 0:25:55.540000 And with that being said, I will be seeing you in the next video.