Incident Response Management Case Study
Any organization can suffer a cyber security incident or data breach. The damage, both short-term and long-term, can be very substantial and, for some organizations, even existential. Reputation damage and loss of customers are a normal consequence, on top of the costs of identifying and remediating the incident. Increasing financial penalties for data breaches can magnify the damage. Damages and losses often run into multi-millions.
Absence of appropriate skills and inadequate cyber-readiness can significantly increase the duration and cost of a cyber incident.
The Sava Cyber Technologies Security Incident Management consultancy service helps organizations develop the resilience to protect against, remediate, and recover from a wide range of cyber incidents and data breaches.
Sava Cyber Technologies were contacted by Howden Ltd to assist in developing their incident management process and planning in the wake of several high-profile cyber attacks on similar-sized organizations.
Howden Ltd provides a large range of outsourced services and solutions to the UK Government and Wider Public Sector from locations throughout the UK.
Due to the nature of business Howden operates in and the sensitivity of the information the organization processes, they have a number of contractual and legislative requirements for incident reporting such as GDPR, NIS Directive, the Scottish Cyber Resilience Strategy, NHS DSP, and CareCERT.
Sava Cyber Technologies held an initial scoping meeting with Howden’s Directors and Information Security Manager to gain an insight into the business and establish their cyber incident management requirements.
Following the scoping meeting, Sava Cyber Technologies drew up a project plan and prepared a statement of work, taking into account Howden’s requirements, resources, and timeframe.
The Sava Cyber Technologies Incident Management consultancy service is designed to help organizations develop a cyber incident management and response capability based on the best-practice cyber security incident response framework developed by CREST, with additional guidance from ISO/IEC 27035, the international standard for cyber incident response.
The incident management project began with a detailed overview of the organization and a gap analysis to review the current security controls in place within the organization and to assess the level of security maturity.
The next step was to formulate an incident response team made up of Stakeholders from across the organization's business entities, Technical Support, and Senior Management teams.
A BIA (Business Impact Analysis) was conducted with stakeholders from across the business to identify and prioritize the criticality of the assets that needed to be protected and to help inform the incident scenarios that would be included in the incident response plan. The BIA helped engage and involve the stakeholders and enabled them to understand what impact an incident could have on their area of business.
A number of scenarios were developed around the existing threats, ransomware, denial of service, hacking, using the CREST seven-phase lifecycle approach to incident response:
Phase 1 – Detect
Phase 2 – Report
Phase 3 – Investigation
Phase 4 – Triage
Phase 5 – Action
Phase 6 – Recovery plan
Phase 7 – Follow up
Each of the scenarios were then documented, tested, and improvements made following the testing.
All of this information was then documented in an Incident Response Plan.
The plan included the following:
Overview of the organization, scope, objectives, and responsibilities
Overview of critical assets or summary results of the BIA, identification of the critical assets, asset owners, threats, and MTD (Maximum Tolerable Downtime)
Incident Reporting Process – a documented incident reporting process and escalation paths
The Incident Response Process Steps – A step-by-step procedure covering the 7 phases of the incident response process
Incident Scenarios – Inclusion of detailed step-by-step pre-prepared and tested incident scenarios covering the organization's most critical assets and the biggest threats to these assets, including all of the steps required to recover the data, system, or service from a particular scenario
Contacts, checklists, and logs.
Training and awareness was also provided to the Incident Response team and first responders, training was provided in the following areas:
Incident identification
Incident reporting
Incident classification
Incident scenario testing
Business continuity and technical disaster recovery planning and testing
A framework for continual improving and testing incident response plans was developed during the project based on the results of the gap analysis and the lessons learned throughout the project.
Sava Cyber Technologies are currently assisting Howden in developing their business continuity, disaster recovery plans, and incident response scenarios.