ANALYSIS AND RESPONSE

The analysis and response to activity and condition monitoring is performed differently in financial institutions of different size and complexity. Smaller and less complex institu-tions may assign operational personnel to the analysis and response function. Larger and more complex institutions may maintain a security response center that receives and ana-lyzes the data flows as activity occurs. Additionally, institutions of all sizes may out-source various aspects of the analysis and response function, such as activity monitoring.

Outsourcing does not relieve the institution of the responsibility for ensuring that control failures are identified before a security incident occurs, an intrusion or other security in-cident is detected in sufficient time to enable an effective and timely response, and post-event forensics activities are supported.

31 The quarterly auditing and verification need not be by an independent source. See NIST Special Publication 800–41.

FFIEC IT Examination Handbook P a g e 9 0

S

I

An internal security response center serves as a central location for the analysis and in-vestigation of potential security incidents. To serve in that role, the security response center should consider, evaluate, and respond to both external threats and internal vulner-abilities. Sources of external threat information include industry information sharing and analysis centers (ISACs), Infraguard, mailing lists, and commercial reporting services.

Internal vulnerability information is available from condition reporting and activity moni-toring. Security response centers should be able to access all relevant internal vulnerabil-ity information in a read-only manner. That data may reside in centralized log reposito-ries, on the devices that perform the logging, and in results of self-assessments and inde-pendent tests. Security response centers also should have available tools to analyze the logs and to perform ad hoc activity monitoring. Other additional and useful data sources are reports of anomalies in both network and host performance and the end-user experi-ence. The latter relates both to internal users as well as contractors and customers who use the institution’s systems.

Because the identification of incidents requires monitoring and management, response centers frequently use SIM (security information management) tools to assist in the data collection, analysis, classification, and reporting of activities related to security incidents.

The security response center should be governed by policies and procedures that address security incidents:

ƒ Monitoring policies should enable adequate continual and ad-hoc monitor-ing of communications and the use of the results of monitormonitor-ing in subse-quent legal procedures. The responsibility and authority of security per-sonnel and system administrators for monitoring should be established, and the tools used should be reviewed and approved by appropriate man-agement with appropriate conditions for use.

ƒ Classification policies should be sufficiently clear to enable timely classi-fication of incidents into different levels of severity. Response and report-ing levels should be commensurate with the severity levels.

ƒ Escalation policies should address when different personnel within the or-ganization will be contacted about the incident, and the responsibility those personnel have in incident analysis and response.

ƒ Reporting policies should address internal and external reporting, includ-ing coordination with service providers and reportinclud-ing to industry ISACs.

Additionally, a policy should address who is empowered to declare an incident to be an intrusion.

The effectiveness of a security incident response center also is a function of the training and expertise of the security analysts. A financial institution should ensure that its ana-lysts are sufficiently trained to appropriately analyze network and host activity and to use the monitoring and analysis tools made available to them.

FFIEC IT Examination Handbook P a g e 9 1

I

R

The goal of intrusion response is to minimize damage to the institution and its customers through containment of the intrusion, the restoration of systems, and providing assistance to customers.

The response primarily involves people rather than technologies. The quality of intrusion response is a function of the institution’s culture, policies and procedures, and training.

Preparation determines the success of any intrusion response. This involves defining the policies and procedures that guide the response, assigning responsibilities to individuals, providing appropriate training, formalizing information flows, and selecting, installing, and understanding the tools used in the response effort. Key considerations that directly affect the institution’s policies and procedures include the following:

ƒ How to balance concerns regarding availability, confidentiality, and integ-rity for devices and data of different sensitivities. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. An institution may decide that some systems must be dis-connected or shut down at the first sign of intrusion, while others must be left on line.

ƒ When and under what circumstances to invoke the intrusion response ac-tivities, and how to ensure that the proper personnel are notified and avail-able.

ƒ How to control the frequently powerful intrusion identification and re-sponse tools.

ƒ When to involve outside experts and how to ensure the proper expertise will be available when needed. This consideration addresses both the con-tainment and the restoration strategy.

ƒ When and under what circumstances to notify and involve regulators, cus-tomers, and law enforcement. This consideration drives certain monitor-ing decisions, decisions regardmonitor-ing evidence-gathermonitor-ing and preservation, and communications considerations.

ƒ Which personnel have authority to perform what actions in containment of the intrusion and restoration of the systems. This consideration affects the internal communications strategy, the commitment of personnel, and pro-cedures that escalate involvement and decisions within the organization.

ƒ How and what to communicate outside the organization, whether to law enforcement, supervisory agencies, customers, service providers, potential victims, and others. This consideration drives the communication strategy and is a key component in mitigating reputation risk.

ƒ How to document and maintain the evidence, decisions, and actions taken.

ƒ What criteria must be met before compromised services, equipment, and software are returned to the network.

FFIEC IT Examination Handbook P a g e 9 2

ƒ How to learn from the intrusion and use those lessons to improve the insti-tution’s security.

ƒ How and when to prepare and file a Suspicious Activities Report (SAR).

Successful implementation of any response policy and procedure requires the assignment of responsibilities and training. Some organizations formalize the response program with the creation of a computer security incident response team (CSIRT). The CSIRT is typi-cally tasked with performing, coordinating, and supporting responses to security inci-dents. Due to the wide range of technical and nontechnical issues that are posed by an intrusion, typical CSIRT membership includes individuals with a wide range of back-grounds and expertise, from many different areas within the institution. Those areas in-clude management, legal, public relations, as well as information technology. Other or-ganizations may outsource some of the CSIRT functions, such as forensic examinations.

When CSIRT functions are outsourced, institutions should ensure that the service pro-vider follows the institution’s policies and maintains the confidentiality of data.

Institutions should assess the adequacy of their preparations through testing.

While containment strategies between institutions can vary, they typically contain the fol-lowing broad elements:

ƒ Isolation of compromised systems, or enhanced monitoring of intruder ac-tivities;

ƒ Search for additional compromised systems;

ƒ Collection and preservation of evidence; and

ƒ Communication with effected parties, the primary regulator, and law en-forcement.

Restoration strategies should address the following:

ƒ Elimination of an intruder’s means of access;

ƒ Restoration of systems, programs and data to known good state;

ƒ Filing of a SAR (guidelines for filing are included in individual agency guidance), and

ƒ Initiation of customer notification and assistance activities consistent with interagency guidance.