NIST, GDPR, PCI-DSS, ISO 27001, CSF & FCA on Cyber Incident Response
Date: 11 May 2020
To discuss cyber incident response with the CEO, you must be familiar with ISO 27001, NIST's CSF, PCI-DSS NCSC'S Cyber Assessment Framework and other regulations and standards that discuss cyber incident response and incident management.
In this blog, we cover the EU GDPR, PCI-DSS, NIST's CSF, NIST's Incident Handling Guide, ISO 27001:2013, California's Breach Notification and other standards and regulations and share a summary of what they dictate about cyber incident response and more.
First, know that all these regulations and standards refer to one or more of the below topics:
- Plans, processes and procedures for responding to cyber-attacks, created, maintained and updated regularly.
- Ability of an organisation to contain, eradicate and recover from cyber incidents.
- Ensuring IT and/or security staff are capable and have the appropriate training on detection and response technologies and processes.
- Data Breach Notification, the accurate and timely reporting of data breaches to relevant supervisory authorities and regulators.
Our NCSC-Certified Cyber Incident Planning & Response Course covers the above topics and more.
The EU GDPR and Data Breach Notification:
The GDPR has become synonymous with the protection of personal privacy. However, a part of this privacy regulation asks that organisations are able to timely detect and swiftly respond to data-breaches that impact the natural living person. Specifically, two articles in the EU-GDPR regulations speak about data breach notification, namely Article 33 and Article 34.
- Article 33 GDPR: Notification of a personal data breach to the supervisory authority: In summary, the organisation has 72 hours to inform the regulator of their country. To note, the breach must impact the data subject's rights and freedoms.
- Supporting Recitals: Recital 85, 86, 87 & 88
- Supporting Recitals: Recital 85, 86, 87 & 88
- Article 34 GDPR: Communication of a personal data breach to the data subject: In summary, you have to also notify the data subject.
- Supporting Recitals: Recital 86, 87, 88 & 73
Please note: NOT all data breaches need to be reported. The points mentioned above, in relation to data breaches and GDPR, are just the tip of the ice-berg and for businesses who are inclined to becoming truly compliant, it is advisable to review our CIPR workshop and its detailed modules. The CIPR course’s module 9 on 'Regulations and Standards;' discusses exactly what you need to know and how to ensure you meet your obligations on the above requirements. UK's ICO holds the same position about reportable breaches. In the UK, the GPDR is officially known as the DPA 2018.
Reporting a breach is the easier part, especially if the media does it for you. However, to be on the front-foot you need to ensure all your 'ducks' are in order including, but not limited to, monitoring, coverage of the monitoring, detection technology, technology to protect the monitoring data and staff that are adequately trained to operate the technology stack. (Top)
ISO 27001:2013 and the Management of a Security Incident
The Annex A16.1 in the ISO 27001:2013 is devoted to everything about incident management including reporting, assessment, response and lessons learnt (similar, but different to NIST). The NCSC-Certified CIPR course is geared to teach you how to achieve and comply with this section of the ISO 27001. Below are the control descriptions listed in the Annex A16.1:
- 16.1.1 - Responsibilities and Procedures: As it says, defined staff responsibilities for critical activities. Procedures that are fit-for-purpose and that can help you respond to different kinds of cyber-attacks.
- 16.1.2 - Reporting Information Security Incidents: Clear procedures, forms and workflows and awareness that ensures that staff know how to report security incidents.
- 16.1.3 - Reporting Information Security Weaknesses: Procedures and importantly staff empowerment to ensure all weaknesses are recorded formally.
- 16.1.4 - Assessment of, and decision on, Information Security Events: It may sound easy but timely and accurately assessing information security events and then classifying the events takes skilled staff, working and optimised technology controls along with fit-for-purpose processes and procedures.
- 16.1.5 - Response to Information Security Incidents: Equally important is the need to ensure rapid response to classified events.
- 16.1.6 - Learning From Information Security Incidents: More than the tired 'lessons learnt' this control asks that you have verifiable procedures and a culture where lessons are truly learnt and that knowledge is shared in a formal structured manner.
- 16.1.7 - Collection of Evidence: The NCSC-Certified CIPR course discusses the importance of not just collecting but also protecting the evidence. You must ensure that evidence is collected but also protected from any change.
ISO 27001 is often considered a prize and great effort is spent on achieving the ISO certification. In our opinion, this is a fallacy. It is our opinion that the ISMS, the Information Security Management System, the key and core component of ISO 27001:2013, must become part of the organisational culture.
When it comes to ISO 27001 Annex A16.1 controls, organisations must avoid focussing solely on the paper elements of the requirements i.e. the reporting form, the procedure documentation and instead focus on materially improving the organisation's cyber resilience posture by adopting our CIPR philosophy of CATTS. Critical Assets, Threats (to the critical assets, Threat Actors that can materialise those threats and finally Scenarios that will combine the CATT elements to impact your business. To further understand the requirements of the ISO 27001 certification, you can go through our CIPR training that delves deeper into the control descriptions given above. (Top)
The Payment Card Industry Data Security Standard is an information security standard for organisations that handle credit cards from the major card schemes. Card brands mandate the PCI Standard but the Payment Card Industry Security Standards Council administers the scheme.
In the PCI-DSS, there are several requirements that can be classified under Cyber Incident Planning & Response:
Requirement 10: Track and monitor all access to network resources and cardholder data: This requirement says you must log all user activity to critical systems components so that you can go back and 'replay' and build a clear picture of what happened, when it happened and which user was involved.
- Requirement 10.1 & 10.2 talk about implementing audit trails and ask for detailed audit so you can reconstruct events like who accessed what, especially privileged users.
- Requirement 10.3 sticks with auditing and is more prescriptive of what you should audit like time, origination of event and etc.
- Requirement 10.5 talks about time and protecting time synchronisation.
- Requirement 10.6 talks about the necessity to regularly review the logs you are capturing and prescribes the minimum type of logs that you should review daily.
- Requirement 10.7 talks about how long you should retain logs. If you fall under the PCI-DSS scope, the recommended log retention period is 1 year.
Requirement 12: Maintain a policy that addresses information security for all personnel. Specifically, Requirement 12.5 says that you must assign to an individual or team the following information security management responsibilities:
- Requirement 12.5.2: Monitor and analyse security alerts and information, and distribute to appropriate personnel.
- Requirement 12.5.3 specifically calls out procedures for creating, maintaining and distributing procedures.
- Requirement 12.10 says you should have an implementation of a response plan.
- Requirement 12.10.1 of the above says your incident response plans better be fit-for-purpose and have specific procedures for responding to an incident.
- Requirement 12.10.4 specifically talks about security breach response training for staff responsible for IR.
We like the Payment Card Industry's Data Security Standard. It's detailed and prescriptive and even if you are not processing credit card details you should consider reviewing the above controls (and other controls) to try to improve your cybersecurity and overall cyber resiliency.
Requirement 10 is more technical and is all about logging, what you should audit, how long you should maintain those logs and more. To summarise, PCI-DSS requirement 10 asks that you be able to piece together all the pieces of the puzzle during and after an attack.
Requirement 12 is about policy and says that your staff must be trained properly on the technology and know about the various policies and procedures on cyber incident detection and response.
However, the mandates and recommendations covered here are but a glimpse into the full extent of the compliance requirements of the PCI-DSS, that we cover in our CIPR training workshop. Businesses that are directly involved in the Payments Card industry or those that are interested in enhancing their security posture by complying with these standards, would be advised to get a deeper understanding of the same. (Top)
The NIST Security Incident Handling Guide:
The National Institute of Standards and Technology needs little introduction. NIST’s Computer Security Incident Handling guide has been the bible for incident response for ages. In summary, NIST (Special Publication 800-61 Revision 2) talks about four key areas including
- Preparation: As the name implies, this is an important phase that involves planning for an incident. It may sound simple but this phase is about more than just creating a cyber incident response plan document. There are several areas that need to be considered including, but not limited to, the technology stack, communications and public relations, change control, contact details, training assessments, forensics, investigations, third-parties and more. Our NCSC-Certified Cyber Incident Planning & Response course takes you through this stage in detail. Trust us, it's crucial that you nail this phase.
- Detection & Analysis: The ability, technology and staff to detect and then analyse an incident are included in this phase. Early detection and accurate analysis are some of the key things to strive for in this phase. Think about it this way, you are on holiday (not during this pandemic, but you get what we mean). A burglar alarm that does not detect successful robberies in time or simply fails to alert the police is useless. That's the same for your organisation's detection and analysis capabilities.
- Containment, Eradication & Recovery: As it says on the tin and sticking with the burglar analogy, it would be completely pointless if the police took 2 hours to turn up at your burgled house (whilst you were on holiday). The same goes for a cyber-attack. Today's malware (malicious software) can spread in seconds and disable your laptops and servers permanently. Your response actions, especially that of containment, must match the speed of the malware's infection. If not, your business will be impacted.
- Post-Incident Activity: This phase is more than just 'lessons-learned'. Professionally, this is a cliché that has lost its meaning. Knowledge sharing, customer /client management, public relations, review of technology stacks, up-skilling are some of the things that need to happen in this phase. In addition, you must use the knowledge from an attack to prepare and update your existing plans.
The above four phases are just a part of the state of 'being-prepared' (only part). In our opinion, there is a significant amount of experience, effort, training and skill involved in increasing an organisation's capability in cyber resilience. We caution the reader against a dogged approach to compliance and/or religious dedication to a particular standard. To the contrary, we advise our clients to focus on the primary objective; that of ensuring a business can continue to operate and make profit when put under a significant impact by a cyber-attack. Further, for a detailed understanding of the NIST requirements, we advise our clients to conduct our CIPR training for the key security decision-makers and associated stakeholders in their business.
The NIST Cybersecurity Framework
This is another brilliant document from NIST that mentions five key areas namely, Identify, Protect, Detect, Respond and Recover. These areas are called Functions and these are further broken down into categories and then sub-categories. The sub-categories call for specific outcomes. For example:
The Detect Function (DE) has a category Anomalies and Events (AE) and the 2nd subcategory in AE says: Detected events are analysed to understand attack targets and methods.
There are too many sections in the CSF to cover in this blog and for a detailed understanding, interested businesses can look into our CIPR course, but here are a few:
- The Detect function has three categories namely, Anomalies and Events, Continuous Monitoring & Detection Processes.
- The Respond function includes Response Planning, Communications, Analysis, Mitigation and Improvements.
- In the Protect function, the Awareness and Training category says that staff must be trained so they can carry out their cybersecurity-related duties in accordance with processes, policies and procedures.
Another great document created in 2014, NIST's Cybersecurity Framework taxonomy of IPDRR (Identify, Protect, Detect, Respond and Recover) is often quoted by experienced cybersecurity practitioners around the world. We cannot say it better than NIST which says this about the CSF, "The Framework focusses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organisation’s risk management processes."
Although originally developed for Critical National Infrastructure (original document is titled, 'Framework for Improving Critical Infrastructure Cybersecurity'), the Cybersecurity Framework or CSF is used and implemented by companies from all verticals and sizes. (Top)
The UK’s National Cyber Security Centre (NCSC)
Similar to NIST's Cybersecurity Framework (CSF), the UK's NCSC created a Cyber Assessment Framework or CAF that is written with specific outcomes rather than a checklist of tick boxes. The Cyber Assessment Framework is quite comprehensive and has 14 principles. An organisation can carry out a self-assessment using this framework or the assessment can be carried out by an external consultant.
The NCSC has three objectives for most Principles: Not Achieved, Partially Achieved and Achieved.
CAF Objective B - Protecting Against Cyber-Attack
Principle B5 - Resilient Networks & Systems
The aim here is to ensure that an organisation has resiliency built into its networks and systems so it can recover them and its business operations.
- B5.a Resilience Preparation
- B5.b Design for Resilience
- B5.c Backups
CAF Objective C - Detecting Cyber Security Events:
Principle C1 - Security Monitoring
The overall objective here, as it says in the objective, is to ensure that an organisation monitors networks and systems so it can detect and track problems and to ensure existing controls are effective. Under the C1 of the NCSC's CAF, we have the following that address cyber incident response and cyber resilience.
- C1.a Monitoring Coverage
- C1.b Securing Logs
- C1.c Generating Alerts
- C1.d Identifying Security Incidents
- C1.e Monitoring Tools & Skills
Principle C2 - Proactive Security Event Discovery
As it says on the tin, the keyword here is proactive and to achieve that is not a simple task. Many moving components need to all align and move in unison, including having highly skilled staff, the right kind of technologies including automation technologies and optimised processes and procedures.
- C2.a System Abnormalities for Attack Detection
- C2.b Proactive Attack Discovery
The full CAF by NCSC is comprehensive. Our NCSC-Certified CIPR course is the best place to get into the context of the CAF, which is also straightforward and like the NIST's CSF it does a good job at trying to capture the various stages or phases of a cyber-resilient organisation. However, many a times organisations get lost in the detail and more importantly lose sight of the main objective. That of being Cyber Resilient; being prepared to either carry on business operations or rapidly resume business operations in the face of a crisis. (Top)
The UK’s Financial Conduct Authority (FCA)
As you would expect, UK's FCA has guidance on collateral on the topic of cyber incident response and more specifically notification.
Principle 11: So, the FCA has a total of 11 principles (here) and Principle 11 is what concerns us. Verbatim, principle 11 of FCA's Handbook says:
A firm must deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice.
As it says, organisations must be open and transparent. This principle 11 applies to regulated and unregulated activities.
In FCA's Handbook, SUP 15.3.1 is pretty clear (cyber incident or not),
A firm must notify the FCA immediately as it becomes aware, or has information which reasonably suggests, that any of the following has occurred, may have occurred or may occur in the foreseeable future:
- (2) any matter which could have a significant adverse impact on the firm's reputation; or
- (3) any matter which could affect the firm's ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm; or
- (4) any matter in respect of the firm which could result in serious financial consequences to the UK financial system or to other firms.
FCA's CQUEST Questionnaire
In addition to the above, the FCA and PRA (Prudential Regulation Authority) have a cybersecurity and cyber resilience questionnaire titled CQUEST that is divided into 6 categories, namely:
- Governance & Leadership (9 questions)
- Identity (6 questions)
- Protect (17 questions)
- Detect (8 questions)
- Respond (5 questions)
- Recover (3 questions)
Reporting a cyber incident - Principle 11 of the FCA Handbook
Under Principle 11 of the FCA Handbook, you must report material cyber incidents. An incident may be material if it:
- results in significant loss of data, or the availability or control of your IT systems
- affects a large number of customers
- results in unauthorised access to, or malicious software present on, your information and communication systems
As mentioned in earlier sections, this blog aims to only offer a cursory view of the important stipulations of all regulatory guidances and for a clearer perspective and guidelines on how to achieve complete compliance, you need to look at our CIPR course which covers these subjects in detail. (Top)
California Data Security Breach Reporting
If California were a country, (apparently) it would be the 5th largest economy in the world! Yes and California does unique things and is also known for taking the lead on many things, including having a similar
GDPR-like law called the CCPA (California Consumer Privacy Act).
California also has a specific law on Data Breach Notification known as the California Data Security Breach Reporting. Below is a part of what it states, verbatim.
California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorised person. (California Civil Code s. 1798.29(a) [agency] and California Civ. Code s. 1798.82(a) [person or business].)
Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) [agency] and California Civ. Code s. 1798.82(f) [person or business].)
Other US States that have similar laws include:
- Oregon: You must notify concerned parties within 10 days of discovering a breach of security.
- Texas: You have to notify the affected individuals without undue delay but within 60 days.
- Washington: The notification used to be 45 days but is now 30 days.
The above is just a summary. As in any regulations the 'devil is in the details' and if you come under the purview of the laws of California, you must check out the regulations in detail in our CIPR course. (Top)
If you need more information on how to design the most effective cyber incident response plans and inculcate best response practices so that your business remains compliant and on top of data breaches, you could check out our GCHQ-Certified Cyber Incident Planning & Response course here.