Incident Response Plan

Document Control

Document Owner: Gareth Jones
Last updated: April 26, 2022

Executive Summary

To maintain the trust of our employees, customers, and partners and meet regulatory requirements, it is essential that we do everything we can to protect confidential information and systems in the face of a cyberattack. The better prepared we are to respond to a potential cyberattack, the faster we can eradicate any threat and reduce the impact on our business.

This document describes the plan for responding to information security incidents at Sparrow Connected Inc. This document will explain how to detect and react to cybersecurity incidents and data breaches, determine their scope and risk, respond appropriately and quickly, and communicate the results and risks to all stakeholders.

Effective incident response involves every part of our organization, including IT teams, legal, technical support, human resources, corporate communications, and business operations. It is important that you read and understand your role as well as the ways you will coordinate with others.

This plan will be updated annually to reflect organizational changes, new technologies and new compliance requirements that inform our cybersecurity strategy. We will conduct regular testing of this plan to ensure everyone is fully trained to participate in effective incident response.

Roles, Responsibilities & Contact Information

This Security Incident Response Plan must be followed by all personnel, including all employees, temporary staff, consultants, contractors, suppliers and third parties operating on behalf of Sparrow Connected Inc. For the purposes of this document all personnel are referred to as ‘staff’.

Below are details about the roles and responsibilities of each member of Sparrow Connected Inc. to prevent and respond to a workplace incident. It is not an exhaustive list of duties but designed to give each employee a general understanding of their role and the roles of other employees in incident response and prevention.

Overview

The Incident Response Lead is responsible for:

Making sure that the Security Incident Response Plan and associated response and escalation procedures are defined and documented. This is to ensure that the handling of security incidents is timely and effective.
Making sure that the Security Incident Response Plan is current, reviewed and tested at least once each year.
Making sure that staff with Security Incident Response Plan responsibilities are properly trained at least once each year.
Leading the investigation of a suspected breach or reported security incident and initiating the Security Incident Response Plan when needed.
Reporting to and liaising with external parties, including pertinent business partners, legal representation, law enforcement, etc., as is required.
Authorizing on-site investigations by appropriate law enforcement or third-party security/forensic personnel, as required during any security incident investigation. This includes authorizing access to/removal of evidence from site.

Security Incident Response Team (SIRT) members are responsible for:

Making sure that all staff understand how to identify and report a suspected or actual security incident.
Advising the Incident Response Lead of an incident when they receive a security incident report from staff.
Investigating and documenting each reported incident.
Taking action to limit the exposure of sensitive data and to reduce the risks that may be associated with any incident.
Gathering, reviewing, and analysing logs and related information from various central and local safeguards, security measures and controls.
Documenting and maintaining accurate and detailed records of the incident and all activities that were undertaken in response to an incident.
Assisting law enforcement during the investigation processes. This includes any forensic investigations and prosecutions.
Initiating follow-up actions to reduce likelihood of recurrence, as appropriate.
Determining if policies, processes, technologies, security measures or controls need to be updated to avoid a similar incident in the future. They also need to consider whether additional safeguards are required in the environment where the incident occurred.

All staff members are responsible for:

Making sure they understand how to identify and report a suspected or actual security incident.
Reporting a suspected or actual security incident to the Incident Response Lead (preferable) or to another member of the Security Incident Response Team (SIRT).
Reporting any security related issues or concerns to line management, or to a member of the SIRT.
Complying with the security policies and procedures of Sparrow Connected Inc. The Sparrow team is constantly looking at opportunities to raise our level of redundancy and increase our robustness. As we examine new technologies and look at our ever-growing options, we revisit the changes in the needs of our customers to see how we can exceed expectations.

Roles & Responsibility Matrix

Role	Responsibility	Contact Details
Technical
CTO/CISO	Strategic lead. Develops technical, operational, and financial risk ranking criteria used to prioritize incident response plan. Authorizes when and how incident details are reported. Main point of contact for executive team and Board of Directors.	Name: Gareth Jones Email: gareth.jones@sparrowconnected.com
Security Team	Central team that authorizes and coordinates incident response across multiple teams and functions through all stages of a cyber incident. Maintains incident response plan, documentation, and catalog of incidents. Responsible for identifying, confirming, and evaluating extent of incidents. Conducts random security checks to ensure readiness to respond to a cyberattack. Responsible for privilege management, enterprise password protection and role-based access control. Discovers, audits, and reports on all privilege usage. Conducts random checks to audit privileged accounts, validate whether they are required, and re-authenticate those that are. Monitors privileged account uses and proactively checks for indicators of compromise, such as excessive logins, or other unusual behavior. Informs incident response team of potential attacks that compromise privileged accounts, validates and reports on the extent of attacks. Takes action to prevent the spread of a breach by updating privileges. Provides security bulletins and technical guidance to employees & customers in case of a breach, including required software updates, password changes, or other system changes.	Name: Sparrow Security Email: security@sparrowconnected.com
IT Operations & Support Team	Manages access to systems and applications for internal staff and partners. Centrally manages patches, hardware and software updates, and other system upgrades to prevent and contain a cyberattack.	Name: Sparrow Support Email: support@sparrowconnected.com
Compliance
CTO/CISO In consultation with external Legal Counsel	Confirms requirements for informing employees, customers, and the public about cyber breaches. Responsible for checking in with local law enforcement. Ensures IT team has legal authority for privilege account monitoring. Communicates with regulatory bodies, following mandated reporting requirements. Coordinates internal employee communications regarding breaches of personal information and responds to questions from employees.	Name: Gareth Jones Email: gareth.jones@sparrowconnected.com
Communications
Web & Social Media Lead	Posts information on the company website, email, and social media channels regarding the breach, including our response and recommendations for users. Sets up monitoring across social media channels to ensure we receive feedback or questions sent by customers through social media.	Name: Karen Yao Email: karen.yao@sparrowconnected.com
Executive
CEO	Communicates externally with customers, partners, and the media. Coordinates all communications and request for interviews with internal subject matter experts and security team. Maintains draft crisis communications plans and statements which can be customized and distributed quickly in case of a breach.	Name: Chris Izquierdo Email: chris.izquierdo@sparrowconnected.com

Testing and Updates

Annual testing of the Incident Response Plan using walkthroughs and practical simulations of potential incident scenarios is necessary to ensure the SIRT are aware of their obligations, unless real incidents occur which test the full functionality of the process.

The Incident Response Plan will be tested [at least once annually].
The Incident Response Plan Testing will test [your business]’s response to potential incident scenarios to identify process gaps and improvement areas.
The SIRT will record observations made during the testing, such as steps that were poorly executed or misunderstood by participants and those aspects that need improvement.
The Incident Response Lead will ensure the Security Incident Response Plan is updated and distributed to SIRT members.

Incident Response Process

Overview

Below is the structured 6-step process followed in this document as defined by the SANS Institute in their Incident Handler’s Handbook. The six steps outlined are:

Preparation—review and codify an organizational security policy, perform a risk assessment, identify sensitive assets, define which are critical security incidents the team should focus on, and build a Computer Security Incident Response Team (CSIRT).
Identification—monitor IT systems and detect deviations from normal operations and see if they represent actual security incidents. When an incident is discovered, collect additional evidence, establish its type and severity, and document everything.
Containment—perform short-term containment, for example by isolating the network segment that is under attack. Then focus on long-term containment, which involves temporary fixes to allow systems to be used in production, while rebuilding clean systems.
Eradication—remove malware from all affected systems, identify the root cause of the attack, and take action to prevent similar attacks in the future.
Recovery—bring affected production systems back online carefully, to prevent additional attacks. Test, verify and monitor affected systems to ensure they are back to normal activity.
Lessons learned—no later than two weeks from the end of the incident, perform a retrospective of the incident. Prepare complete documentation of the incident, investigate the incident further, understand what was done to contain it and whether anything in the incident response process could be improved.

Incident Response Checklist

To demonstrate and improve the effectiveness of Sparrow Connected Inc. incident response team and security tools, Sparrow Connected Inc. requires a record of all actions taken during each phase of an incident. Supporting documentation is required, including all forensic evidence collected such as activity logs, memory dumps, audits, network traffic, and disk images.

Phase of cyber incident	Action	Team Member/ System	Day/time Action Taken
Incident Discovery and Confirmation	Describe how the team first learned of the attack (security researcher, partner, employee, customer, auditor, internal security alert, etc.).
	Analyze audit logs and security applications to identify unusual or suspicious account behavior or activities that indicate a likely attack and confirm attack has occurred.
	Describe potential attacker, including known or expected capabilities, behaviors, and motivations.
	Identify access point and source of attack (endpoint, application, malware downloaded, etc.) and responsible party.
	Prepare an incident timeline to keep an ongoing record of when the attack occurred and subsequent milestones in analysis and response.
	Check applications for signatures, IP address ranges, files hashes, processes, executables names, URLs, and domain names of known malicious websites.
	Evaluate extent of damage upon discovery and risk to systems and privileged accounts. Audit which privileged accounts have been used recently, whether any passwords have been changed, and what applications have been executed. (See Appendix A for more information on Threat Classification).
	Review your information assets list to identify which assets have been potentially compromised. Note integrity of assets and evidence gathered. (See Appendix A for more information on Threat Classification).
	Diagram the path of the incident/attack to provide an “at-a-glance” view from the initial breach to escalation and movement tracked across the network.
	Collect meeting notes in a central repository to use in preparing communications with stakeholders.
	Inform employees regarding discovery.
	Analyze incident Indicators of Compromise (IOCs) with threat intelligence tools.
	Potentially share information externally about breach discovery. You may choose to hold communications during this phase until you have contained the breach to increase your chances of catching the attacker. If so, make sure this aligns with your compliance requirements.
Containment and Continuity	Enable temporary privileged accounts to be used by the technical and security team to quickly access and monitor systems.
	Protect evidence. Back up any compromised systems as soon as possible, prior to performing any actions that could affect data integrity on the original media.
	Force multi-factor authentication or peer review to ensure privileges are being used appropriately.
	Change passwords for all users, service, application, and network accounts.
	Increase the sensitivity of application security controls (allowing, denying, and restricting) to prevent malicious malware from being distributed by the attacker.
	Remove systems from production or take systems offline if needed.
	Inform employees regarding breach containment.
	Analyze, record, and confirm any instances of potential data exfiltration occurrences across the network.
	Potentially share information externally regarding breach containment (website updates, emails, social media posts, tech support bulletins, etc.).
Eradication	Close firewall ports and network connections.
	Test devices and applications to be sure any malicious code is removed.
	Compare data before and after the incident to ensure systems are reset properly.
	Inform employees regarding eradication.
	Potentially share information externally regarding eradication (website updates, emails, social media posts, tech support bulletins, etc.).
Recovery	Download and apply security patches.
	Close network access and reset passwords.
	Conduct vulnerability analysis.
	Return any systems that were taken offline to production.
	Inform employees regarding recovery.
	Share information externally regarding recovery (website updates, emails, social media posts, tech support bulletins, etc.).
Lessons Learned	Review forensic evidence collected.
	Assess incident cost.
	Write an Executive Summary of the incident.
	Report to executive team and auditors if necessary.
	Implement additional training for everyone involved in incident response and all employees.
	Update incident response plan.
	Inform employees regarding lessons learned, additional training, etc.
	Potentially share information externally (website updates, emails, social media posts, tech support bulletins, etc.).

Responsibilities at a Glance

Activity	Role
	CSIRT Incident Lead	IT Contact	Legal Representative	Communications Officer	Executive
Initial Assessment	Owner	Advises	None	None	None
Initial Response	Owner	Implements	Updates	Updates	Updates
Collects Forensic Evidence	Implements	Advises	Owner	None	None
Implements Temporary Fix	Owner	Implements	Updates	Updates	Advises
Sends Communication	Advises	Advises	Advises	Implements	Owner
Check with Local Law Enforcement	Updates	Updates	Implements	Updates	Owner
Implements Permanent Fix	Owner	Implements	Updates	Updates	Updates
Determines Financial Impact on Business	Updates	Updates	Advises	Updates	Owner

Document Control

Executive Summary

Roles, Responsibilities & Contact Information

Overview

Roles & Responsibility Matrix

Testing and Updates

Incident Response Process

Overview

Incident Response Checklist

Responsibilities at a Glance

Questions or concerns?