Question about laptop theft & Incident Response

Thread: Question about laptop theft & Incident Response

Search this list only Search all lists
Question about laptop theft & Incident Response
United States	2007-05-30 06:05:29

Hi all, Let's say a laptop of employee's company X has stolen. The laptop (of course belongs to the company X) containing valueable information like financial info, etc. From the security perspective and procedure to handle this kind of event: 1) The employee remain responsible for the tangible asset lost (laptop) based on agreement made between company X and the employee before assigned the laptop. 2) Investigation must be be performed to distinguishes whether user negligence (or not) to judge point no (1). 3) Estimate the lost of intangible asset. 4) ..... 5) ....... (please give idea what missed here) Is that event can be categorized as an incident? Then declaring incident response procedure? Many Thanks Rifa 2; Get the free Yahoo! toolbar and rest assured with the added security of spyware protection. __._,_.___ Messages in this topic (1) Reply (via web post) \| Start a new topic . __,_._,___
Re: Question about laptop theft & Incident Response
United States	2007-06-08 15:23:50

To declare it as an incident you need to show .. 1) it to be an un-usual occurrence (which it is) 2) there is possible harm or an attempt to harm the organization (which it is) Steps of incident response (order is important) ... 1) A steady-state cycling b/w "Preparation" and "Identification" states. (sorry can't detail this here) 2) Containment (short-term and long-term) after incident has been identified and declared. 3) Eradication 4) Recovery 5) Lessons Learned Fixing the blame on the employee within the incident handling cycles is not conducive to the IR effectiveness, other processes should take care of this activity; however, make sure that whatever you or others do, remains within forensically sound practices vis-a-vis any evidence that you might have. Deployment of a rep to the site to collect information. Evaluate what can be done to contain the losses that can be caused by this event.  And activate pre-existing, pre-thought-out plans that you have decided to deal with such an incident. It helps to know what was on the laptop.  Some of the things to do will be to break trust relationships from the laptop to other machines. Evaluate what sensitive data might have been on the laptop etc.  See if there are mandatory reporting requirements associated with loss of such data etc. Containment should again be done with an eye for forensically sound evidence handling.  Also it is this phase where you (try to completely) separate the evidence from your environment so that advance stages of containment and eradication do not affect the evidence:  I leave it to you to figure out what in means in the context of a laptop theft Containment might also involve evaluating the physical controls that failed and resulted in the theft.  (Propose some immediate corrective action so that such events are contained -- detailed handling of corrective policies happens in the lessons learned phase). Move on to Eradication where you remove cause for the incident and completely remove the offending factor.  Again, what it means in this context needs thought. Move on to lessons learned.  Have a meeting, socialize your lessons learned with others; find out what can be done differently and better to minimize such losses.  May be encrypt data on the harddrives etc. etc. Formalize a reporting process; get all parties to agree on your findings (signed acknowledgement) ;or in case of a disagreement make sure that the points of disagreement are clearly identified and documented (signed acknowledgement) so that disagreeing party can not discredit the whole report in a court of law. Regards, -- Raoon Kundi, CISSP Identity Architect PS: Most of this if from a SANS Class for incident handling. ----- Original Message ----- From: yahoo.com" href="mailto:rifadi87yahoo.com">rifa 1987 To: CISSP-Discussyahoogroups.com Sent: Wednesday, May 30, 2007 7:05 AM Subject: [CISSP-D] Question about laptop theft & Incident Response Hi all, Let's say a laptop of employee's company X has stolen. The laptop (of course belongs to the company X) containing valueable information like financial info, etc. From the security perspective and procedure to handle this kind of event: 1) The employee remain responsible for the tangible asset lost (laptop) based on agreement made between company X and the employee before assigned the laptop. 2) Investigation must be be performed to distinguishes whether user negligence (or not) to judge point no (1). 3) Estimate the lost of intangible asset. 4) ..... 5) ....... (please give idea what missed here) Is that event can be categorized as an incident? Then declaring incident response procedure? Many Thanks Rifa Get the free Yahoo! toolbar and rest assured with the added security of spyware protection. __._,_.___ Messages in this topic (0) Reply (via web post) \| Start a new topic . __,_._,___

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )