Incident Response

Business Continuity and Incident Response both fall under the Information Security Program umbrella, designed to complement each other to protect the Confidentiality, Integrity, and Availability of data and information technology assets. Both follow a similar set of steps in the development and execution of documented strategies. Incident Response is typically used to plan for scenarios that include the potential for exposure of sensitive data, or unauthorized access of IT. Most of these threats are associated with cybersecurity risk.

The Business Continuity Team at CU*Answers oversees the Incident Response program for the CUSO, working closely with Networking and Security Operations as well as Internal Auditing for compliance purposes. Multiple audits and examinations are conducted on a regular basis, internal and independent, with reporting provided to Senior Management and the Board of Directors. Results of these audits and examinations are reviewed as part of our SSAE-18 audit process with both SOC I and SOC II reports available at https://www.cuanswers.com/about/due-diligence-materials/.

A key component of the Information Security Program

Incident Response is a critical component of the Information Security Program, identifying processes and procedures to follow in the event of a security attack. While controls are implemented to prevent, deter, and detect attacks, bad actors are often skillful in finding their way around (or sometimes even through) these controls, or are able to identify and exploit a vulnerability before teams have had a chance to remediate it.

Incident Response requires a set of skills and experiences not often found within the employee base of most financial institutions. It is the next evolution of cybersecurity awareness training, with roles and responsibilities identified for members of the Incident Response Teams. As a CUSO and core processor, CU*Answers provides regular educational webinars on the topic as well as resources and services to help credit unions address any gaps on their response teams.

The threat landscape in the cybersecurity realm is always changing as bad actors seek new methods of monetizing their efforts. It’s imperative that CUSOs and credit unions include Incident Response development as part of their overall program, seeking to continuously strengthen the security posture.

incident response awareness training
incident response plan development
incident response plan testing

Resources available to enhance the security posture for CUSOs and credit unions.

Your Incident Response Strategy

Effective Incident Response begins with a solid risk-based Information Security Management program.  As a financial institution, regular Risk Assessments should be performed to measure inherent and residual risks, uncovering areas where controls are missing or weak (relative to your risk appetite), as well as identifying likely scenarios to plan your response efforts. Along with the regular Risk Assessments, networks and systems must both be scanned for vulnerabilities, and their controls tested regularly for effectiveness.

A culture of security is perhaps the organization’s best defense against an attack. Influencing staff behavior begins with carefully designed and clearly understood security policies. An ongoing cybersecurity awareness training program is vital, given that more than 90% of all data breaches begin with social engineering tactics, such as phishing or credential theft. For those staff with specific roles on the Incident Response Team, adequate training is required to develop the skills and experience needed, as well as identifying areas where gaps exist, indicating the need for additional training or outsourcing.

Specific processes and procedures for responding to security incidents must be documented and validated through an ongoing testing program. These must address each stage of an incident response, from detection and containment to remediation and recovery. Several resources are available from regulatory agencies, as well as case studies from actual incidents.  These resources help to define guidelines and best practices as part of intelligence sharing activities.

Effective communication and notification during an incident response is a key element and a regulatory requirement under specific circumstances. Communications among response team members during the initial stages of an attack help to initiate proper containment strategies. Communicating with all key stakeholders is important to maintaining control of the message and protecting the reputation of the organization.

The Incident Response Team

The Incident Response Team is made up of a cross-enterprise group, responsible for quickly identifying threats to the organization, assessing the level of risk, and taking immediate steps to mitigate impact and loss. The team notifies appropriate authorities and mobilizes response and recovery teams to bring operations back to normal.

incident response team flow chart

Identify and seek to fill the skills gaps of your response team members.

The Incident Response Team is comprised of a blend of internal and external parties, including legal counsel, law enforcement, cybersecurity insurance agents, as well as breach experts. Roles are often grouped by function, including the technology response, operations response to maintain at least a minimal level of services for members, as well as back-office administration. It’s important to identify the members of your Incident Response Team and seek to fill any skills and experience gaps through additional training and/or outsourcing to a trusted vendor.

Stages of an Incident Response

Whether we like it or not, every organization is either undergoing a cybersecurity attack, just coming out of a cybersecurity attack, or preparing for the next attack to begin. With a continuously evolving threat landscape, it is imperative that CUSOs and credit unions adapt to maintain a strong security posture. Recognizing that an attack is underway requires having a general knowledge of the typical stages of an Incident Response.

stages of incident response

Stages of a Cybersecurity Incident

  1. Preparation: Like good physical health, these are the activities we do (or don’t do) to maintain a strong security posture.
    • This starts with strong security policies, an ongoing cybersecurity awareness and training program, a layered approach to security controls such as multi-factor authentication, vulnerability scanning and patch management, comprehensive risk assessments, and regular testing and exercises.
  2. Detection: What activity on your network should you be monitoring? Where are the early signs of an attack likely to surface?
    • A few key questions to ask include:
      • What activity on your network should you be monitoring?
      • Where are the early signs of an attack likely to surface?
  3. Containment: What tools and procedures will your response team follow to quickly isolate and contain the attack, whether malicious software, an exploited vulnerability, or stolen network account?
    • What tools and procedures will your response team follow to quickly isolate and contain the attack, whether malicious software, an exploited vulnerability, or stolen network account?
  4. Remediation: What tools and procedures will your response team follow to completely eradicate the attack, including locating the means of ingress to prevent future occurrences?
    • What tools and procedures will your response team follow to completely eradicate the attack, including locating the means of ingress to prevent future occurrences?
  5. Recovery: What is the process for returning to a normal business state so that you can continue serving your member base.
    • This is only possible with a solid business continuity program that includes protected, immutable data backups and available resources to recreate the production environment.
  6. Post-Incident Analysis: What did we learn about this incident and what steps can we take to strengthen our posture and enhance our response?
    • What did you learn about this incident and what steps can you take to strengthen our posture and enhance our response?
  7. Risk Mitigation: Everything that is learned through each stage of the response as well as case studies from incidents reported by other financial institutions collectively teach us how to better mitigate and manage risk.
    • This information must be disseminated to the response team and all staff through awareness and training events such as a simulation-based tabletop exercise.

All of the above should be documented in your Incident Response Plan and tested and reviewed regularly to ensure it remains relevant to credit union operations.

Resources available for CUSOs and Credit Unions

CU*Answers and AdvantageCIO have several services and resources to help you achieve your goals in this area.

business continuity disaster recovery
incident response / information security
vendor due diligence

Resources available to enhance the security posture for CUSOs and credit unions.

Due diligence documentation including risk assessment tools for:

Updated
May 19, 2023

HA Rollback Completed – Report Coming Soon

HA Rollback Completed – Report Coming Soon

The HA Rollback was successfully completed on Sunday, April 7th.  This marks the conclusion of the March HA Rollover event. In the days ahead, we will be preparing a gap analysis report on the HA Rollover event, which will include details about the exercise, challenges observed, lessons learned, and recommendations for improving the process.  An… Read more »

Apr 8, 2024

Reminder: HA Rollback This Weekend

Reminder: HA Rollback This Weekend

Rescheduled from our original targeted date of March 17th, the high-availability rollback event will now be occurring this weekend.  The rollback process will begin Sunday, April 7th at 3:00 AM ET. During this time, there will be a period of approximately 60 to 90 minutes that will include an interruption to the following services: CU*BASE/GOLD,… Read more »

Apr 4, 2024

Reminder: HA Rollback This Weekend

Reminder: HA Rollback This Weekend

This is a reminder of the high-availability rollback event that will be occurring this weekend.  The rollback process will begin Sunday, March 17th at 3:00 AM ET. During this time, there will be a period of approximately 60 to 90 minutes that will include an interruption to the following services: CU*BASE/GOLD, CU*Talk audio response and… Read more »

Mar 14, 2024

HA Rollover Event this Weekend – Updates to be Posted on CU*BASE Alerts Page

HA Rollover Event this Weekend – Updates to be Posted on CU*BASE Alerts Page

Don’t forget: this weekend, we will be testing our ability to redirect CU*BASE core-processing from our production data center to our high-availability (HA) data center.  The Rollover event is scheduled to begin at 1:00 AM ET on Sunday, March 10th.  Once completed, CU*BASE core-processing will be provided from systems at the HA data center for… Read more »

Mar 7, 2024

Reminder: The Next HA Rollover is Coming March 10th – We Need You to Perform a Connectivity Test!

Reminder: The Next HA Rollover is Coming March 10th – We Need You to Perform a Connectivity Test!

Twice each year, CU*Answers tests our ability to redirect CU*BASE core-processing from our production data center in Kentwood, MI to our high-availability (HA) data center in Yankton, SD.  The next HA rollover is scheduled for Sunday, March 10th. The rollover is scheduled to begin at 1:00 AM ET on Sunday, March 10th with the rollback… Read more »

Feb 27, 2024

Network Maintenance Project Scheduled for Sunday, March 10th

Network Maintenance Project Scheduled for Sunday, March 10th

As a reminder, CU*Answers will be performing our next CU*BASE high-availability (HA) rollover on Sunday, March 10th.   That same morning, teams will be rolling over online and mobile banking systems to servers at our secondary data center. These rollovers are in preparation for a maintenance project at our production data center that will include… Read more »

Feb 27, 2024

Reminder: The Next HA Rollover is Coming March 10th – We Need You to Perform a Connectivity Test!

Reminder: The Next HA Rollover is Coming March 10th – We Need You to Perform a Connectivity Test!

Twice each year, CU*Answers tests our ability to redirect CU*BASE core-processing from our production data center in Kentwood, MI to our high-availability (HA) data center in Yankton, SD.  The next HA rollover is scheduled for Sunday, March 10th. The rollover is scheduled to begin at 1:00 AM ET on Sunday, March 10th with the rollback… Read more »

Feb 27, 2024

Network Maintenance Project Scheduled for Sunday, March 10th

Network Maintenance Project Scheduled for Sunday, March 10th

As a reminder, CU*Answers will be performing our next CU*BASE high-availability (HA) rollover on Sunday, March 10th.   That same morning, teams will be rolling over online and mobile banking systems to servers at our secondary data center. These rollovers are in preparation for a maintenance project at our production data center that will include… Read more »

Feb 27, 2024

Reminder: The Next HA Rollover is Coming March 10th – We Need You to Perform a Connectivity Test!

Reminder: The Next HA Rollover is Coming March 10th – We Need You to Perform a Connectivity Test!

Twice each year, CU*Answers tests our ability to redirect CU*BASE core-processing from our production data center in Kentwood, MI to our high-availability (HA) data center in Yankton, SD.  The next HA rollover is scheduled for Sunday, March 10th. The rollover is scheduled to begin at 1:00 AM ET on Sunday, March 10th with the rollback… Read more »

Feb 21, 2024

Online Banking Rollover Event Tomorrow – Updates to be Posted on the CU*BASE Alerts Page

Online Banking Rollover Event Tomorrow – Updates to be Posted on the CU*BASE Alerts Page

Don’t forget: tomorrow morning, we will be performing a Rollover for It’s Me 247 online/mobile banking (OLB) environments, as well as BizLink 247 online banking for business.  The Rollover event is scheduled to begin at 5:00 AM ET (2:00 AM PT) on Wednesday, February 14th, with the rollback scheduled for 6:00 AM ET (3:00 AM… Read more »

Feb 13, 2024