• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • HomePage
  • Instructor
  • Syllabus
  • Schedule
    • Week 01: Introduction
    • Week 02: Security and Risk Management
    • Week 03: Asset Security
    • Week 04: Security Engineering
    • Week 05: Communication and Network Security
    • Week 06: Identity and Access Management
    • Week 07: Security Assessment and Testing
    • Week 08: Security Operations
    • Week 9: Software Development Security
  • Assignments
    • Reading Assignments
    • Weekly Discussion Questions
    • In the News Article
    • Team Presentation
  • Quizzes
  • Webex
  • Group Project Discussion
    • Team 1 – Banking
    • Team 2 – Healthcare
    • Team 3 – Power Utility
    • Team 4 – Retail

Cyber Security Capstone

Temple University

Week 11: Incident Response

July 19, 2019 by William Bailey 24 Comments

Answer at least one of the following questions:

You’ve been hired as a consultant by an organization not due to a breach, but because their regulator documented a finding that the organization must redefine their Incident Response Program.

  1. How do you garner support for this effort if the organization disagrees with the regulator’s finding?
  2. What would your project plan look like if you must correct this finding prior to the next annual audit?

Filed Under: Week 11: Incident Response Tagged With:

Reader Interactions

Comments

  1. Elizabeth V Calise says

    July 22, 2019 at 10:41 am

    1. How do you garner support for this effort if the organization disagrees with the regulator’s finding?

    Organizations must meet some kind of requirements. There is some regulatory body that the organization needs to adhere to due to the nature of the company. As norm, the company has someone who audits them to ensure they are complying and look for any discrepancies. People tend to find these things daunting and don’t want to deal with it.

    The way you garner support for this effort if the organization disagrees with the regulator is to bring up the positive impact of redefining the Incident Response Planning. As the consultant, you raise that not continuing with effort it could lead to fines or other negative impacts. Going the route of speaking to the negative impacts may not be as useful. It will be better to talk about the positive benefits like being more secure which means less likely to be breached or attacked. A consultant can also argue that the company can now say they adhere to the regulations and possibly mention the company has gone beyond the minimum standards. It will sound better. The company is expanding what it can do and it will show what they are capable of and how they are taking the requirements seriously. It can even entice people to buy the company’s products or services.

    Log in to Reply
    • Oby Okereke says

      July 25, 2019 at 8:15 am

      Hi Elizabeth:

      Certainly, raising the positive benefits of addressing the finding is a good path to follow. I’m on your side on that note and will naturally tow the same line preferring to dig deeper into the finding seeking factual evidence to uncover the material weakness as stated by the regulators.

      Most regulators work purely on factual evidence and its ok to disagree if an alternate evidence to prove the regulators wrong exists.

      Navigating this curve to garner support of the organization requires a careful reconciliation of facts between what the organization thinks and the findings or the regulators.

      Log in to Reply
    • Jonathan Duani says

      July 28, 2019 at 5:27 pm

      Elizabeth,

      I definitely agree with your statement about showing the their up the positive impacts that an IR plan would have an organization. From my perspective the most important thing is that the company understand how much it would save in the long run with this plan in place. They need to understand the risk associated with no having one and making sure they are aware of worst case scenario what could happen if something were to occur. I think a lot of management is sadly driven buy a numerical dollar amount and they will understand that the positives would be they could save money in the long run even though its a pretty high initial investment.

      Log in to Reply
  2. Brock Donnelly says

    July 22, 2019 at 1:58 pm

    How do you garner support for this effort if the organization disagrees with the regulator’s finding?

    It is very likely that the regulator found something that does not comply with the organizations main goals or business requirements. Aligning the discovery of the regulator with the organizations business goals/plan or culture should inspire an unsupportive member. Compliance could be the main reason for a redefinition of the Incident Response Program. Providing an assessment of monetary cost (fines, lawsuits, etc) to the organization with a scope of five, ten, and twenty years verses the upfront cost of change today would also sway a visionless C-level executive. Help can also come with numbers. Try finding others within your organization that can agree with your goals and ask them to help push your initiatives.

    Log in to Reply
    • Jonathan Duani says

      July 28, 2019 at 5:56 pm

      Brock,

      I agree that is the regulator was looking around and it got to the point where they need to garner support to make a change that management should definitely hear them out. If there is a situation that requires a change in the plan or a creation of a plan as a whole it could save the company money and time in the long run in case something happens.

      Log in to Reply
  3. Scott Radaszkiewicz says

    July 22, 2019 at 2:01 pm

    You’ve been hired as a consultant by an organization not due to a breach, but because their regulator documented a finding that the organization must redefine their Incident Response Program.

    How do you garner support for this effort if the organization disagrees with the regulator’s finding?

    Garnering support for an initiative that no one believes is correct is a daunting task. The first thing that should be done is to discuss the findings with the regulator and try to get a better understanding of the result. It’s possible the regulator is wrong, not everyone is infallible. This evaluation must be done with senior management involved. If the regulator and the organization still disagree on the findings, I think the next step would be to involve the regulators superiors to ensure the regulators ruling is correct. If the findings are ruled to be correct, then the organizations should do everything within its power to understand why the regulator is stating that this is the correct finding. If the organization still disagrees with the findings, they must, at the very least, come to terms with the fact that this is a regulation and they must comply with the letter of the law, even if they disagree.

    Rules and regulations are put into place and an organization is bound to comply with them. Even when disagreements are present, the ramifications of not complying could be drastic. To garner support, senior management must understand that compliance is vital. Senior management should make the organization understand that, while we may disagree with the findings, we are going to comply with the law and take the action that is necessary to correct the finding. Also, senior management could express that even though they are complying, they are going to continue to express their concern over the findings and maybe change the regulations, or get a better understanding of the required regulations.

    Log in to Reply
  4. Dima Dabbas says

    July 22, 2019 at 6:22 pm

    1. How do you garner support for this effort if the organization disagrees with the regulator’s finding?

    There needs to be support from the organization to understand why the Incident Response Program needs to be redefined. Organizations should comply with regulations as they help ensure that the organization is running properly and in a secure manner. It is not an easy task to gain people’s support for something that they disagree with but I would try to make them understand the benefits that this may have on the organization and how it in the end helps in accomplishing the organization’s goals and objectives.

    2. What would your project plan look like if you must correct this finding prior to the next annual audit?

    The project plan needs to be documented in a way where the benefits are clear to senior management and to employees to ensure they understand the purpose of addressing the audit finding and resolving it. Presenting the impact that this audit finding will have on the organization negatively and how it can impact the organization’s mission and goals will give senior management and employees a clearer reason of why this needs to be addressed. Thorough planning, testing and agreement from senior management will help guarantee that the audit finding is corrected in the next annual audit.

    Log in to Reply
    • Elizabeth V Calise says

      July 28, 2019 at 8:10 am

      Dima,

      In regards to your response to question 2, I could not agree more. The positives/benefits need to be outlined in the project plan. The plan needs to encourage the employees and make the movtivated towards correcting the findings. One can mention the penalities a s a note but I think it is more encouraging to go into detail about the benefits. I think one would get more out of the employees that way.

      Log in to Reply
    • Jonathan Duani says

      July 28, 2019 at 6:29 pm

      Dima,

      I agree at the end of the day documentation is key and making sure that everything is outlined clearly and consistent it would help in the long run. I do agree with your statement that “Thorough planning, testing and agreement from senior management will help guarantee that the audit finding is corrected in the next annual audit.” I think as long as everyone is on board and the documentation is correct it could be ready for the next audit cycle.

      Log in to Reply
  5. Ahmed A. Alkaysi says

    July 22, 2019 at 6:27 pm

    How do you garner support for this effort if the organization disagrees with the regulator’s finding?

    I would identify the risks of not completing this work and the level of effort required to mitigate the risks. The penalties of not complying and vulnerabilities getting exploited might be substantial enough to get senior management’s attention and have them invest into redefining the Incident Response Program. All this is required to be researched and presented to management in a formal matter. In order to better understand the issue, I need the regulator to provide evidence and information regarding the finding. Just saying it is an issue is not good enough. In order for management to be persuaded, they must understand the What and the Why.

    What would your project plan look like if you must correct this finding prior to the next annual audit?

    There will be multiple steps included in the project plan. First, I would need to identify the required parties and the owner of this issue. Then we would need to understand the requirements and potential impacts. The LoE would need to be determined and the ETA for completion. Another step would be to identify the testing that is required and how to communicate the change to relevant parties.

    Log in to Reply
  6. Jonathan Duani says

    July 22, 2019 at 11:09 pm

    If a company disagrees with the findings of the regulator it will cause a challenge to obtain support for an incident response plan update. It is important to get senior leadership involved so that they can get the proper support for redefining the incident response plan. You should present to senior leadership the ROI if the company were to invest in fixing the incident response plan based on the findings of the external company. There is also a customer relationship with a trusted company in industry that is helping with this. Also there is the fact that you could run a simulation to prove in black and white why the plan is so desperately needed and needed to be accurate.

    Log in to Reply
    • Dima Dabbas says

      July 28, 2019 at 6:36 am

      Jonathan,

      I agree. Senior leadership needs to be involved in situations like this and needs to understand the purpose of redefining the incident response plan. Once there is the support from senior leadership, it would a lot easier to get the other employees within the organization on the same page as well. It will require presenting facts to let them understand why the plan needs to be redefined and what impacts this has on the organization.

      Log in to Reply
  7. Duy Nguyen says

    July 23, 2019 at 10:34 am

    How do you garner support for this effort if the organization disagrees with the regulator’s finding?
    Like in many top-down management styled organizations, the initiatives, goals, and directives come from senior management. Buy-in from senior management is critical in communicating any new policies or process. In a top-down organization, tone and expectations are trickled down from leaderships. In most cases, it’s not up to the organization to agree or disagree with regulations. Regulations on InfoSec requirements are intended to improve and regulate the information security levels of organizations within that industry.

    Log in to Reply
    • Oby Okereke says

      July 26, 2019 at 12:25 am

      Hi Duy:

      I definitely agree with you. The tone at the top determines the overall level of effort required to garner support if the organization disagrees with an audit finding. Thus, if leadership is fully engaged with the audit process as expected, the organization’s leadership will not rail against the finding but will necessarily possess an in-depth knowledge of the control environment; and as such will be able to navigate and unearth the root cause of the finding and required corrective steps – if any as well as provide evidence as to why the finding does not speak true to the control environment.

      Log in to Reply
    • Elizabeth V Calise says

      July 28, 2019 at 8:23 am

      Duy,

      You made a good point, leadership is one of the keys. You need leadership to speak up about their support of the regulators in a postive tone. If the leaders are on board, so will the majority be. When it comes to these topics, I have seen where their a large virtual meetings where many people from the team can attend and leaders are speaking and having a fluid conversation. That could be something that could work when wanting to flow down the support.

      Log in to Reply
  8. Folake Stella Alabede says

    July 24, 2019 at 10:36 pm

    How do you garner support for this effort if the organization disagrees with the regulator’s finding?

    I’ve come across questions like these a few times, one or two times, interviewers have asked me questions like – what do you do when an organization would not accept a finding?, or what do you do if the organization is not taking steps to remediate on a finding..

    The organization should not blatantly ‘disagree” with a regulator’s finding, because a finding indicates that some form of substantive/compliance testing has been performed, and there are documentations that attest to the findings, documents don’t lie too.

    A finding in an Incident Response could have a serious impact on an organization depending on the nature of the organization’s business. The consultant should garner support by explaining this and giving (quantitative and qualitative) real life examples/scenarios of what could happen if the Incident Response plan is not redefined.

    Log in to Reply
    • Oby Okereke says

      July 26, 2019 at 8:20 am

      Hi Stella,

      I have to agree with you and if I’m correct auditing is your bread and butter and as such, your opinion is a professional representation of your experience in the field.

      A blatant disagreement with the regulators will not serve the “auditee” well because such findings are necessarily a call for improvement and should be well received and acknowledged, researched and if found true, the “auditee” can proceed to establish a substantiated valid evidence to the regulators.

      Log in to Reply
  9. Sheena L. Thomas says

    July 24, 2019 at 11:54 pm

    Since it’s a regulatory finding, I would garner support by explaining the consequences of not complying with a regulatory finding. More then likely the consequences would include but not limited to criminal penalties, Legal Action, Reputational Damage, and Fines.

    My project plan would include the the following items:
    -The finding
    -Work Breakdown Structure
    -Deliverables
    -Mitigating controls
    -who will implement the mitigating controls
    -Schedule
    -Budget
    -Communication

    Log in to Reply
    • Dima Dabbas says

      July 28, 2019 at 6:41 am

      Sheena,

      You make valid points. Presenting the consequences of not complying with a regulatory compliance can help employees understand that they needs to support this. There are obvious reasons why this is needed and the next step would be figuring out the project plan of why this needs to be implemented. The items you included in the project plan are all important from these different items we see that the organization as a whole needs to be in this in order for this project plan to be implemented successfully.

      Log in to Reply
  10. Oby Okereke says

    July 26, 2019 at 12:08 am

    What would your project plan look like if you must correct this finding prior to the next annual audit?
    _____________________________________________________________________________________________

    Addressing an audit finding is a procedure that calls for a carefully thought out project plan. Of course, some findings require minimal effort and resources while some others require a budget that needs to be carefully disbursed to fully meet the compliance and conformance to the finding.

    My first step would necessarily be to determine the root cause of the finding. Asking the question why the gap exists will form the basis of the project plan and the required corrective actions.

    In defining my project plan, three answers need to be answered; who is responsible for resolving the finding, what is required to be done and then finally the timeline as to when the corrective action (s) must be completed in tie before the annual audit occurs.

    A broad overview of my project plan will include the following;

    1. Root Cause

    2. Project scope

    3. Project team members – with specific assigned responsibilities

    4. Time-frame for corrective action (s) implementation – Start and Finish date

    5. What actions needs to be carried out

    6. Project close out – Report generation

    7. Ongoing review and monitoring

    Log in to Reply
    • Dima Dabbas says

      July 28, 2019 at 6:57 am

      Oby,

      Interesting points. I agree first there needs to be an understanding of the gap that exists that is requiring the organization to make these changes. Understanding the gap ensures that there is careful planning in this future project that addresses and corrects this gap. Assigning responsibilities to the different team members is also an important task as this ensures that we have the personnel that will aid in completing this project which is the reason we need to have the full support from the organization.

      Log in to Reply
    • Jonathan Duani says

      July 28, 2019 at 6:35 pm

      Oby,

      Much like Dima has mentioned i do feel like there needs to be a clear understand of where the disconnection is so that there can be a plan put in place. I think that the idea you put out with the different steps was great and a different way to answer the question. I think that at the end of the day the three questions that need to be answers that you mentioned is probably a great way to look at the problem and if you are able to resolves these questions then the issue should be resolved.

      Log in to Reply
  11. Jonathan Reid Kerr says

    July 26, 2019 at 2:30 pm

    1. How do you garner support for this effort if the organization disagrees with the regulator’s finding?

    In order to gain organizational support, it is important to understand that you are not necessarily trying to make the leadership agree with the findings. The most important part is getting those in charge to understand the importance of the findings and agreeing to redefine the Incident Response Program. While making the organization agree with the documented findings would make the rest easier to deal with, it isn’t the only method to getting leadership to act.

    Getting senior leadership buy-in is key to getting the organization to act. One of the best ways to accomplish that, is to show how the regulator’s findings will impact the organization if no action is taken. This can be monetary impacts or an impact to the company’s reputation if the program is not redefined. Furthermore, assessing and presenting risks involved with not complying with the regulator’s findings will aid in gaining executive buy-in.

    Log in to Reply
  12. Steve Pote says

    July 28, 2019 at 10:18 pm

    This is so near an Intrusion Detection assignment I feel guilt. I have a slide deck for this.

    Support for direction in redefining the IRP would best come from same vertical or business peers. If peers comply, compliance is the suggested path complete with their map. If they disagree they set precedent both in disagreement and in how ~they~ corrected the finding. The ultimate support is knowing the regulators will be by again.

    Actual handling should mirror a breach as mitigation of such risk is the goal of regulation in the first place. The Business Impact of a finding can be the Business Impact of a breach less damages.

    The project plan would be steps to build a Security Operations Center…In this case a team not only to work through the current regulatory question but recognizing the iterative need – you may be able to achieve compliance and a generally secure state now, but wait and that will surely change.

    Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Weekly Discussions

  • Week 01: Introduction (1)
  • Week 02: Security and Risk Management (3)
  • Week 03: Asset Security (2)
  • Week 04: Security Engineering (2)
  • Week 05: Communication and Network Security (3)
  • Week 06: Identity and Access Management (1)
  • Week 07: Security Assessment and Testing (2)
  • Week 08: Security Operations (2)
  • Week 09: Software Development Security (2)
  • Week 10: New Trends (2)
  • Week 11: Incident Response (2)
  • Week 12: IT Security (2)

Copyright © 2025 · Magazine Pro Theme on Genesis Framework · WordPress · Log in