Your organization is experiencing a data breach that has comprised systems internationally and you must pull together resources to effectively and efficiently return your organization to normal. Communication and centralization of efforts will be key. The wrong move can cost your company dearly or even can lead to the company being shut down due to regulatory fines, reputational damage, as well as lawsuits.
This is phase two of a multifaceted attack. In this assignment, you will learn during this exercise to actively respond to the scenario as if it were an actual attack and to interact with other functional areas that would also be impacted by the security incident.
The Scenario: OZCO Data Breach – INJECT
You now have what we call an “INJECT” into this scenario which throws a few wrinkles into it just as in the real world you can’t account for every move your attacker will make. An “INJECT” provides you with a changing environment and forces you to critically think about your next move and how to achieve the goal of returning your organization to normal operations.
You return to your laptop to now find demands that display on your computer screen below!
OZCO Customer & Employee PII For Sale. You are owned by “the void.” You have 48 hours to respond or your data will be sold!! Threat actor requests 35 bitcoins ($1,231,293.00) and sends a list of sample PII to validate this claim.
To further complicate matters, you’ve just gotten off a call with the VP of Marketing who’s heard about the data breach and requests a full debriefing. You have approximately 24 hours to pull together a PowerPoint that states whether or not there’s been a data breach, your reasons for your decision, and the actions you propose to return the organization to normal. Please see detailed instructions for your PowerPoint below.
Your PowerPoint should consist of between 12-18 slides that address the scenario above. Please include your international locations when constructing your systems, plans, process, and procedures and address the following elements:
Preparation: What systems, plans, processes, and procedures should be in place to detect this threat?
Detection: What systems, plans, processes, and procedures will allow you to detect these threats more efficiently?
Containment: What systems, plans, processes, and procedures should be in place to contain the threat?
Eradication: What systems, plans, processes, and procedures should be in place to remove the threat?
Recovery: What systems, plans, processes, and procedures should be in place to return your organization to normal?
Follow-up: What did we do right? What did we do wrong? What can we do better?
In addition to the above, the PowerPoint should include slides that cover the following:
A mock call tree for the incident response team and their backups if they cannot be reached that includes backup response team members and their numbers.
Information on whether your global company policy will adhere to the extorted demands of the attacker requesting money. “Remember they have your data!” Why will you pay? Why not?
The scope and whether this incident classifies as a global data breach, what severity level has it reached (Critical, Medium, Low) your reasons for your decision, and the actions you propose to return the global organization to normal. Be mindful of possible third-party partners and external legal resources.
The gaps in the plan and how can they be addressed. Remember your company has international concerns!
Any missed questions from Phase I to allow you to experience constructing a more efficient global plan and process going forward to be leveraged in the next Preparation phase of the IRP revision.