by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : November and December 2015
KRIS VAN RIPER is the government practice leader and SCOTT SHERMAN is a senior executive adviser at CEB. Advanced threats are spreading at an alarming rate, putting agency data at risk and making attacks almost inevitable. In July, the Government Accountability Office reported that information security incidents involving federal agencies skyrocketed from 5,503 in fiscal 2006 to 67,168 in fiscal 2014. If recent high-profile incidents are any indication, those numbers will only further increase in the years to come. Agencies should assume that they are at risk for a breach and implement processes for post- incident recovery. A well-designed incident response plan gives agencies the tools nec- essary to respond to an attack, investigate the causes of a breach and manage internal and external communications. Such plans should involve a three-pronged approach: 1. Define the conditions required for a response. Agencies must differentiate between security “events” and security “incidents.” CEB defines a security event as any observable occurrence in a system or network — for example, a user connecting to file sharing or a fire- wall blocking a connection attempt. By contrast, a security incident is an event that results in or presents an imminent threat of a viola- tion of computer security policies, acceptable-use policies or standard security practices. All security incidents are secu- rity events, but not all events are incidents. Security incidents include denial-of-service attacks, infiltration by malicious code or unauthorized access to sensitive information. Those incidents should trigger the agency’s response process, but if agencies were to automatically respond to every security event, they would waste time and resourc- es chasing endless false alarms. 2. Create an incident taxono- my. The second step involves the creation of a standard set of labels known as an incident taxonomy. It allows agencies to categorize incidents within well-defined parameters to more quickly iden- tify patterns, which enables a faster response to common types of inci- dents and streamlines trend analysis. Although 83 percent of organiza- tions use a taxonomy system, there is no overwhelming preference for a specific type, according to CEB’s research. However, the taxonomy an agency selects is not as critical as the fact that it chooses and main- tains one for consistency. 3. Follow the protocol for recov- ery. Once agencies have categorized their triggers and taxonomies, they should focus on recovery protocols, which are the most valuable acceler- ators to a rapid recovery. In order to adopt effective response protocols, agencies should create processes that span four distinct phases: • Preparation — Select a special- ized incident response team, a single point of contact and a system for evaluating and tracking the external threat environment. In our research, 89 percent of organizations have designated a single point of contact for incident response coordination and leadership. • Detection and analysis — Develop a strategy for monitoring a variety of channels that are respon- sible for detecting incidents. And create consistent severity categories that align with levels of resource allocation and response timelines. • Containment, eradication and recovery — Establish workflows for responding to various incidents, including formal action plans that empower incident response teams to react quickly. Also, ensure that officials are communicating clearly with all stakeholders and maintain- ing processes that enable the collec- tion of evidence for analysis. • Post-incident response — Require postmortem assessments that facilitate organizational change and reinforce the importance of operational improvement. By assuming that system attacks are imminent and planning accord- ingly, federal agencies can limit the actual attack and manage the result- ing impact. n A breach is coming — is your agency ready? The key to successfully navigating a security breach is to develop a three-pronged, comprehensive incident response process ahead of time If recent high-profile incidents are any indication, the number of attacks will only increase in the years to come. Commentary | KRIS VAN RIPER AND SCOTT SHERMAN November/December 2015 FCW.COM 13 1215fcw_013.indd 13 11/16/15 9:52 AM