Contenu connexe
Similaire à Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and Incidents to the SEC (20)
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and Incidents to the SEC
- 1. Using the IncMan Suite to Manage
the Reporting of Cyber Security
Risks and Incidents to the SEC
- 2. SEC Cyber Security Reporting
Disclaimers
The information contained in this document is the proprietary and exclusive property of DFLabs
except as otherwise indicated. No part of this document, in whole or in part, may be
reproduced, stored, transmitted, or used for design purposes without the prior written
permission of DFLabs. The information contained in this document is subject to change without
notice.
NO WARRANTY: The information in this document is provided for informational purposes only.
DFLabs specifically disclaims all warranties, express or limited, including, but not limited, to the
implied warranties of merchantability and fitness for a particular purpose, except as provided for
in a separate software license agreement.
NOT LEGAL ADVICE: The ideas and opinions in this document are not to be construed as legal
advice.
About DFLabs
DFLabs is an ISO9001 certified company, specializing in Information Security Governance,
Governance Risk and Compliance (GRC) and Business Security. Our mission is: Supporting
Information Security Strategies and Guaranteeing Business Security. Proud of its professional
experience, DFLabs provides consulting, services and technologies in the following areas:
Network security, Information Security Strategy, Incident/Fraud Prevention and Response,
Digital Forensics, e-discovery, Litigation Support, Infosec Training, Intrusion Prevention, Log
and Vulnerability Management.
DFLabs is creator of the IncMan Suite, a comprehensive incident management solution. The
IncMan Suite comprises three modules that can operate autonomously or in concert for a
complete solution.
Incident Manager (IMAN) is the integrated solution for the complete management of
security incidents.
Digital Investigation Manager (DIM) is digital evidence tracking software used in digital
investigations. DIM has been designed and developed to be used for digital evidence
process support during computer forensics and incident response operations.
ITILity is a framework of best practices to manage IT operations and services. It is
designed to provide a complete support solution, to streamline helpdesk processes.
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 1
- 3. SEC Cyber Security Reporting
Table of Contents
Executive Summary .................................................................................................. 3
Business Challenges ................................................................................................ 4
Solution Description .................................................................................................. 8
Important Features ................................................................................................. 11
Technical Details .................................................................................................... 12
Summary ................................................................................................................ 12
More Information ..................................................................................................... 13
Works Cited ............................................................................................................ 13
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 2
- 4. SEC Cyber Security Reporting
Executive Summary
On October 13, 2011, the US Securities and Exchange Commission (SEC) published guidance
regarding the obligations of companies registered with the SEC relating to cyber security risks
and cyber security incidents. Although cyber security risks have always been a potential
disclosure issue, this recently published guidance draws specific attention to the need of
registrants to carefully analyze “if these issues are among the most significant factors that make
an investment in the company speculative or risky.” [1]
In determining whether such disclosure is required, companies need to consider:
Past Security Incidents
The probability of security incidents occurring in the future, the magnitude of
those risks, as well as the potential costs and consequences of those incidents
The adequacy of the preventive actions taken to reduce cyber security risks
The SEC Guidance discussed in this paper provides several examples of cyber threats that can
have a material impact on a company that investors have the right to be made aware of.
However, public disclosure of cyber risk and incidents must be done carefully. The SEC
guidance recognizes that detailed disclosures could provide a roadmap to an attacker.
Company executives have the difficult task of weighing the obligation to provide timely and
comprehensive information while preserving customer and investor confidence. The stakes of
this balancing act are heightened by the litigious climate facing companies doing business in the
US.
This document will cover the challenges of assimilating all of the threats and attacks that a
company is exposed to so that a proper risk assessment can be performed. Proper disclosure
cannot be performed without competent analysis of the risks identified during a risk assessment.
Not every breach will need to be reported, as the majority will not have the potential for a
material impact to the company [2]. Deciding which security incidents to disclose is another
critical management decision and it must be made in a timely manner.
The DFLabs IncMan Incident Management Suite not only provides your organization’s incident
handlers with a framework for managing cyber security incidents, it provides management with
insightful information for understanding the organization’s cyber risk profile and incident
response trends, including actual costs of historical and current incident response activities.
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 3
- 5. SEC Cyber Security Reporting
Business Challenges
Trade Secrets, Personally Identifiable
Information, and Reputation
In today’s information-based economy, it can be argued that information is the primary fuel of
wealth creation. Information, combined with financial and human capital creates the combustion
of prosperity. Competitive advantage arises based on how effectively organizational
management leverages these three types of resources. Trade secrets are the information that
provides competitive advantage. Companies need to devote appropriate resources to
safeguarding this information, so as to protect their competitive advantage.
In order to for a company to do business, a modicum of trust must exist between the business
and its customers. Each party to a transaction must trust that the transaction is fair. Some
transactions require more trust than others, for example the trust relationship between a patient
and a brain surgeon. Trust implies vulnerability. I do not have to trust you if I am not
vulnerable to you [3]. To engage in most significant transactions, information must be
exchanged, and the expectation is that the recipient can be trusted with the information.
The average consumer would rather not share intimate personal details with a large
international organization but they will do so if they want the transaction to occur. Whether one
is aware of it or not, the decision to trust and share personally identifiable information (PII) is
based on a risk calculation that is part of our psychological hardwiring. An individual may not
accurately perceive the risk [4] but it is clear that one’s experience and assessment of the
other’s reputation are predominant factors in the decision making process [5].
To survive and thrive, organizations must diligently protect their trade secrets and those of their
business partners. They must also safeguard the personal information entrusted to them by
their customers. How effective an organization is at protecting these vital assets shapes its
reputation and that reputation is a key factor in the growth or decline of a business.
Disclosure of Cyber Security Risks by Public Companies
Investing is another transaction that has inherent risk and is based on trust. The US Securities
and Exchange Commission (SEC) has stated that, “The federal securities laws, in part, are
designed to elicit disclosure of timely, comprehensive, and accurate information about risks and
events that a reasonable investor would consider important to an investment decision.” [1]
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 4
- 6. SEC Cyber Security Reporting
The SEC has noted that there is increased focus on the disclosure obligations of publically
traded companies and has issued a document called CF Disclosure Guidance: Topic No. 2 –
Cybersecurity (hereafter referred to as “the guidance”). Perhaps this is a response to several
high profile security breaches at large public companies. The guidance states in its introduction,
that as the increasing dependence on digital technologies has increased, “the risks to
registrants associated with cybersecurity have also increased, resulting in more frequent and
severe cyber incidents.” [1]
Attacks & Accidents
In general terms, the goal of an attack is to make the adversary’s resources more valuable to
the attacker (theft, for example) or less valuable to the adversary (such as “denial of service”).
Attackers have a variety of motivations. Understanding these motivations is an important part of
threat assessment.
However, not all security incidents are motivated by ill will toward the organization. In fact,
many security incidents are due to errors and omissions. [6]
Organizations must protect themselves from both attacks
and accidents.
Confidentiality, Integrity, and Availability
Regardless of the motivation, a security incident will fall into one or more of the following
categories:
Threats to Confidentiality – A threat to confidentiality occurs when
unauthorized access has been gained to a system containing secret information.
Threats to Integrity – When a system has been attacked, users lose trust in the
accuracy and reliability of the information contained therein.
Threats to Availability – If users cannot access the information in a system, the
value of that information is greatly diminished.
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 5
- 7. SEC Cyber Security Reporting
Risk, Vulnerabilities, and Threats
The common definition of cyber security risk is the likelihood that a threat will exploit a specific
vulnerability. Risk management is the identification and prioritization of risks as well as the
economical application of resources to reduce the impact of the adverse advent. [7]
By way of example, the SEC guidance discusses a variety of deliberate and unintentional cyber-
attacks on confidentiality, integrity, and availability. The document states that successful
attacks might result in the victim organization incurring substantial costs and negative
consequences, such as:
Remediation costs that may include liability for stolen assets or information and
repairing system damage that may have been caused. Remediation costs may
also include incentives offered to customers or other business partners in an
effort to maintain the business relationships after an attack;
Increased cyber security protection costs that may include organizational
changes, deploying additional personnel and protection technologies, training
employees, and engaging third party experts and consultants;
Lost revenues resulting from unauthorized use of proprietary information or the
failure to retain or attract customers following an attack;
Litigation; and
Reputational damage adversely affecting customer or investor confidence.
Risks have to be prioritized because the cost of mitigating
the risk cannot outweigh the cost of the adverse impact.
Determining What to Disclose
The SEC guidance discusses the specifics of disclosing risks in the various sections of the SEC
forms that cover:
Risk Factors
Management’s Discussion and Analysis of Financial Condition and Results of
Operations (MD&A)
Description of Business
Legal Proceedings
Financial Statement Disclosures
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 6
- 8. SEC Cyber Security Reporting
The disclosures must “adequately describe the nature of the material risks and specify how
each risk affects the registrant [1].” Registrants are expected to evaluate their cyber security
risks, considering all relevant information. The guidance specifically mentions:
previous cyber security incidents and severity & frequency of those incidents;
the probability of future cyber security incidents and the potential magnitude of
those risks; and
the adequacy of the countermeasures taken to reduce cyber security risks.
A founding partner of the Information Law Group stated, “One read of this guidance is that
companies internally are going to have to more carefully forecast and estimate the impact of
cyber incidents and the consequences of failing to implement adequate security. This analysis
will go well beyond privacy-related security issues where most companies have focused (due to
various privacy laws and regulator activity), and implicate key operational issues impacted by
security breaches.” [2]
Avoiding Litigation
The stakes are very high. If a company does not adequately disclose cyber security risks they
are potentially exposed to lawsuits and sanctions from the SEC. However, disclosing details
about prior security incidents can also open the company up to additional lawsuits. One thing is
sure, teams of lawyers and accountants are looking at both sides of this issue 1 and plaintiffs will
have no problems obtaining the funding to pursue class action lawsuits. [8]
1
The introduction to the SEC guidance stated that a motive for publishing the guidance was that
“there has been increased focus by registrants and members of the legal and accounting professions
on how these risks and their related impact on the operations of a registrant should be described
within the framework of the disclosure obligations imposed by the federal securities laws” [1]
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 7
- 9. SEC Cyber Security Reporting
Solution Description
Determination of Material Risks
In order for management to determine which cyber security risks should be disclosed per the
SEC guidance, it is important that the organization have a comprehensive security management
program. There are three facets of the program that will be the biggest sources of information
to the disclosure decision-making process:
Incident Handling Case Management
Risk Assessments
Operational Security
The IncMan Suite from DFLabs is a comprehensive incident management framework that has
functionality to meet the needs of security governance programs particularly in these three
areas. This functionality is discussed in the following sections, with a focus on the needs of the
decision makers involved in SEC reporting.
Figure 1 – The IncMan Dashboard gives a visual indication of critical metrics.
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 8
- 10. SEC Cyber Security Reporting
Information on Past Security Incidents
The guidance states that historical security incident information is a consideration to be factored
into the disclosure decision-making process. IncMan not only provides a workflow framework
for an organization’s incident response team, it is also a repository of the team’s historical
response activities. The IncMan Suite archives all case notes and evidence, preserving the
chain of custody records. All cases are rated on a severity scale based on your organization’s
criteria. Any lessons can be preserved with each case. All content is searchable.
A dashboard (see Figure 1) provides a high-level overview of aggregated case information,
allowing managers to identify trends and see the financial impact of security incidents.
Probability & Impact of Future Security Incidents
While historical security incident information is an important factor in risk assessments, it
provides only a partial picture because threats evolve rapidly. Security managers must also be
aware of emerging attack trends, recently disclosed software vulnerabilities, as well as security
incidents afflicting the organization’s industry peers.
One of the most important features of IncMan is its native support of the IODEF standard [9].
This capability allows IncMan to automatically receive incident reports from any CSIRT and
create assignments for the organization’s response team to take preemptive actions.
The IncMan Suite allows security managers to assess the
magnitude of risk, potential costs, and consequences
material threats to the organization.
Because all security incidents (internal and external to the organization) are catalogued
according to the IODEF data model, security managers are able to use the dashboard and
report wizard to characterize emerging security incident trends and project the potential financial
impact to the organization.
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 9
- 11. SEC Cyber Security Reporting
Adequacy of Preventive Actions Taken to Reduce Risks
An important tenant of security is “prevention is important, but detection is a must!” Most secure
organizations have adopted a defense-in-depth security philosophy with overlapping layers of
preventive and detective security controls. The detective counter-measures are designed to
raise an alert when preventive control has failed or has been circumvented. Generally, the
more rapid the response to the incident, the lower the cost will be.
The IncMan Suite can integrate with all security devices that support XML and the common
event format (CVE), such as all popular intrusion detection systems (IDS), intrusion prevention
systems (IPS), and Security Event & Incident Management (SEIM) systems.
The data generated by IncMan will allow Security Managers to make an ongoing evaluation of
the adequacy and cost effectiveness of the organization’s preventive and detective controls. As
part of an operational security process, new procedures and incident response procedures are
adapted to respond to organizational changes and evolving threats. These critical documents
can be stored in the IncMan knowledge base for immediate access during an incident.
Supporting Documentation for SEC Disclosures
As stated in the Business Challenges section of this paper, cyber security risk and incident
disclosures may impact reputation, investor and customer confidence, as well as have legal
ramifications. For this reason, it is anticipated that organizations will develop written criteria for
internal use as to what constitutes a material disclosure. Customized reports can be created to
provide the supporting documentation for the SEC disclosures.
Discovery & Legal Evidence
The organization may become involved in legal action resulting from significant security
incidents, either as a plaintiff or as a defendant. Corporate counsel can rest assured that all
aspects of the incident response including artifacts and case notes are preserved in a
forensically sound manner within the IncMan Suite. The suite provides for chain of custody
tracking of all evidence and incorporates full support for digital forensic investigation activities.
Within the system, all activity is logged. Access to each case is controlled on a role-based,
need-to-know basis as granted by a supervisor. When cases are closed, access can be
revoked or changed to read only.
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 10
- 12. SEC Cyber Security Reporting
Important Features
The IncMan Suite is designed with the needs of enterprise incident response teams in mind.
The following features make the system ideally suited to the challenge of disclosing material
risks and incidents to the Securities and Exchange Commission:
Workflow Management – Templates can be defined to pre-populate the security
incident case record and tasks can be created and tracked.
Dashboard – The configurable dashboard gives an overview of the incident
response posture of the organization.
Powerful Reporting – Reports can be customized to report exactly the
information needed to support a material disclosure.
GRC – Risk and compliance implications for every incident can be automatically
directed to the appropriate management personnel.
Preservation of Evidence and Chain of Custody – All activities are logged and
all artifacts are preserved in a forensically sound manner.
Knowledge Base – The knowledge base can be loaded with the organization’s
policies, procedures, and criteria for a material disclosure.
Case Activity Notifications – Email alerts can be configured to escalate
incident cases to the appropriate level of management based upon severity.
Automatic Integration with External Applications – Integration with Intrusion
Detection Systems (IDS), Security Information Event Management (SIEM)
systems, and all leading forensic tools. Examples include ArcSight, Netwitness,
Access Data FTK, Solo III, X-Ways, Guidance Software Encase, PTK Forensics,
RSA enviSion, Tableau and more.
The focus of this document is to highlight the value of the IncMan to security executives who
make cyber security disclosures to the SEC, but it should be emphasized that value is derived
from the fact that it is also an indispensable tool to the organization’s incident response team.
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 11
- 13. SEC Cyber Security Reporting
Technical Details
The IncMan Incident Management Suite is a secure web application designed to scale to the
largest, geographically distributed enterprises. The system is provided as a virtual machine, a
hardware appliance, or a multi-tiered cluster depending on the needs of the organization. Users
access the system using a web browser or mobile device, such as an iPad. The user interface
supports multiple languages.
Summary
This document shows how the DFLabs IncMan Incident Management Suite is well suited to
support the needs of Security Executives that must disclose cyber security risks and incidents to
the US Securities and Exchange Commission. Although only material risks must be disclosed,
deciding what to disclose is a decision that has significant consequences and should be based
on specific criteria.
The IncMan Suite is designed to support and coordinate the incident management activities of
an entire enterprise while providing governance with the necessary metrics needed to
understand the organization’s cyber risk profile. The system can escalate situations to the
appropriate levels of management when security incidents matching certain criteria occur or
pre-defined thresholds are exceeded.
All historical costs and associated risks are tracked to allow for the reporting of the financial
impact of incident response actions and the projection of future costs. This system helps
security managers identify attack trends and assess the adequacy of the preventive measures
that the organization is taking to reduce security risks.
While determining what to disclose to the SEC is still a tough executive decision, the IncMan
Suite helps to facilitate the decision by providing the information that is critical to the decision
making process.
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 12
- 14. SEC Cyber Security Reporting
More Information
To schedule a demonstration of the DFLabs IncMan Incident Management Suite or to learn
more about our software products and services, contact Dale Wright at +01 410 381 4860, or
email sales_usa@dflabs.com. Visit our website at www.DFLabs.com.
Works Cited
[1] "CF Disclosure Guidance: Topic No. 2, Cybersecurity," Division of Corporation Finance, Securities and
Exchange Commission, 13 October 2011. [Online]. Available:
http://sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. [Accessed 24 October 2011].
[2] D. Navetta, "SEC Issues Guidance Concerning Cyber Security Incident Disclosure," Information Law
Group, 14 October 2011. [Online]. Available: http://www.infolawgroup.com/2011/10/articles/breach-
notice/sec-issues-guidance-concerning-cyber-security-incident-disclosure/. [Accessed 24 October
2011].
[3] C. McLeod, "Trust," The Stanford Encyclopedia of Philosophy, no. Spring 2011 Edition, 2011.
[4] D. Ropeik, How Risky Is It Really?, New York: McGraw-Hill, 2010.
[5] A. Partida and D. Andina, "Vulnerabilities, Threats and Risks in IT," in IT Security Management, vol.
61, Springer Netherlands, 2010, pp. 1-21.
[6] ITpolicyCompliance.com, "Taking Action to Protect Sensitive Data," March 2007. [Online]. Available:
http://www.itpolicycompliance.com/research-reports/taking-action-to-protect-sensitive-data/. [Accessed
25 October 2011].
[7] D. W. Hubbard, The Failure of Risk Management, Hoboken, NJ: John Wiley & Sons, Inc., 2009.
[8] V. O'Connell, "Funds Spring Up to Invest in High-Stakes Litigation," 3 October 2011. [Online].
Available: http://online.wsj.com/article/SB10001424052970204226204576598842318233996.html.
[Accessed 25 October 2011].
[9] R. Danyliw, J. Meijer and Y. Demchenko, "The Incident Object Description Exchange Format,"
December 2007. [Online]. Available: http://www.ietf.org/rfc/rfc5070.txt. [Accessed 8 November 2011].
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
Page 13
- 15. SEC Cyber Security Reporting
Using the IncMan Suite to Manage
the Reporting of Cyber Security
Risks and Incidents to the SEC
DF LABS Srl, VAT and taxpayer number 04547850968
Address: Rep. Office: Via Bergognone, 31, cap 20144 Milano, Italy
Labs: Via delle Macchinette, 27, 26013 Crema (CR), Italy
Tel: +39 0373-83196 / +39 0373-223716
Fax: +39 0373 387605 / +39 02-700424607
Email: info@dflabs.com
DFLabs - North America and South America
North AmericaWright
Contact: Dale and South America
Email: sales_usa@dflabs.com
Tel. +01 410 381 4860
DFLabs -
abs.com
DFLabs - Middle East, Dubai, UAE
Contact: Dennis Oommen
Email: dpo@dflabs.com
Tel: +97150 5515 480
About DFLabs
DFLabs is an ISO9001 certified company, specializing in Information Security Governance, Governance Risk and
Compliance (GRC) and Business Security. DFLabs provides consulting, services and technologies in the
following areas: Network security, Information Security Strategy, Incident/Fraud Prevention and Response, Digital
Forensics, e-discovery, Litigation Support, Infosec Training, Intrusion Prevention, Log and Vulnerability
Management.
About The Author
Kenneth G. Hartman is a Solution Architect for DFLabs. Ken holds multiple security certifications, including a
CISSP. Prior to coming to DFLabs, Ken was a Security & Privacy Officer for a Healthcare Informatics company.
Contact the author at kh@dflabs.com.
Publication Date: 12/7/2011
©2011 DFLabs srl
©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano
www.DFLabs.com
Page 14