In this video, you will learn to describe the cybersecurity incident response processes and the three phases of Prepare, Respond, and Follow Up. How could we deal with the cybersecurity incident process? This is something that came from Crest. Crest actually is good organization that will have a lot of certifications or a lot of information regarding cybersecurity. They summarize the cybersecurity incident process in three different phases. The first is Prepare, then we have Respond, and the last one is Follow Up. On that first phase, you will need to understand if you have the e-discovery process. In other words, you will need to understand what kind of systems you are dealing with. If you have electronical data, do you have that electronical data classify or do you have something important to worry about? Do you have controls? Do you have administrative, or technical, or physical controls to protect your assets? Do you have, for example, a business impact analysis that will allow you to understand what happens if a certain system goes down? How much money you will lose? How much time you will lose or your operation for example. As soon as you have all the information in your hand or as soon as you have all the data, you could start dealing with the incident. So first of all, in the phase two, you will need to identify what is the cybersecurity incident. So for example, if somebody came here into your office and leave a USB key on your desk, and you grab the USB key and plug it into your computer, and you download a malware into your computer that's probably a security incident. But if somebody goes and, for example, crash a window in your building because throw a rock, that's probably not a security incident. Well, it's a security incident but not a cybersecurity incident. So the way that you are going to deal with the cybersecurity incident will be different than the way that you are dealing with another kind of security or another kind of incident in your organization. Then, you will need to start or trigger the business recovery plan. Probably, you will need to trigger the business continuity plan if the incident may require that. But the last part is decision of help taking about, on the past incident or the investigation phase, and that's actually the follow up. You'll need to investigate the incident. Why the incident happened? If the incident will happen again, how you will deal with the incident? What are the best controls that you could implement in order to prevent the incident not to happen again? So there is a lot of things that you could do on the follow-up other than it's important to understand or do in the follow up phase is the trend analysis. So for example, you know that somebody in your organization grabbed a USB key and plugged into a computer in the internal network and a malware goes through all of your network and infect a lot of computer. So probably, it's a trend. If somebody again goes and leave USB keys on the parking lot, for example, what is the probability, what is the trend that a lot of people, a lot of your users will grab the same USB key, we'll go and plug the USB key into your computer? So in order to understand that kind of activity, that kind of behavior will be a trend, do you have to probably perform a lot of interviews? You will have to go and grab enough evidence, as we mentioned on the investigation phase, and create a case. Create a business case, create a process to create a plan. One of the outcomes of that plan probably will be a security awareness program. So that's basically the phases of the cyber incident response plan, cyber incident response process. Something good if you want to understand a little bit better how a security incident could harm your organization is this data breach calculator that we have here in IBM. Actually, let's go real quick into this link. You go here and open this link. You will get something like this. Actually, it's pretty simple. You just need to select here. For example, what country you are living or the cybersecurity incident will be happening? What kind of industry are you dealing with? For example, we could deal with the pharmaceutical industry. Some of things that you already implemented or you don't have on your organization. For example, you could say that you have an artificial intelligence platform. You have actually not done a classification schema. You have employee training. As soon as I start adding new things into this factors, the number or the cost of the cybersecurity incident will low. As soon as I start clicking on the factors and the related factors from the link here from the box that I have, the cybersecurity incident will be higher, the cost will be higher. Then, here, we have the normalized statistics about how, based again on our location, the average time to identify a cybersecurity breach, data breach, for example. The top three costs for this in factors for mitigating data security breaches. So obviously, the proof line is incident response. Then, we have a lot of the use of encryption technologies in our data in our systems and obviously, the employee training process. On the next slide, we have a couple of links also. If you prefer to understand the cybersecurity incident process using a mini-map, you could go to those links. Those are actually pretty good but you'll have a lot of information here. You'll see a lot of things and probably will be overwhelming to understand these, but that's actually pretty cool. You will have here a lot of phases, a lot of steps that you will need to perform as soon as you start dealing with that cybersecurity incident response. So for example, here on the step number three, this is the step that you may need to follow on the initial response process. So the first step, on the initial response, for example, is this item has the system and network administrator in place. The business personnel, examining the logs, the reports, the architecture. You should have, for example, an information gathering for the system. Understand the incident that you are dealing with, understand the system that you are dealing with in order to start working with the response teams, start working with the people.
