Page 1192 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1192

rest of the network.

               In some cases, responders take steps to mitigate the incident, but
               without letting the attacker know that the attack has been detected.

               This allows security personnel to monitor the attacker’s activities and
               determine the scope of the attack.


               Reporting

               Reporting refers to reporting an incident within the organization and
               to organizations and individuals outside the organization. Although
               there’s no need to report a minor malware infection to a company’s
               chief executive officer (CEO), upper-level management does need to

               know about serious security breaches.

               As an example, the WannaCry ransomware attack in 2017 infected
               more than 230,000 computers in more than 150 countries within a
               single day. The malware displayed a message of “Ooops your files have
               been encrypted.” The attack reportedly infected parts of the United
               Kingdom’s National Health Service (NHS) forcing some medical
               services to run on an emergency-only basis. As IT personnel learned of

               the impact of the attack, they began reporting it to supervisors, and
               this reporting very likely reached executives the same day the attack
               occurred.

               Organizations often have a legal requirement to report some incidents
               outside of the organization. Most countries (and many smaller
               jurisdictions, including states and cities) have enacted regulatory
               compliance laws to govern security breaches, particularly as they apply

               to sensitive data retained within information systems. These laws
               typically include a requirement to report the incident, especially if the
               security breach exposed customer data. Laws differ from locale to
               locale, but all seek to protect the privacy of individual records and
               information, to protect consumer identities, and to establish standards
               for financial practice and corporate governance. Every organization

               has a responsibility to know what laws apply to it and to abide by these
               laws.

               Many jurisdictions have specific laws governing the protection of
               personally identifiable information (PII). If a data breach exposes PII,
   1187   1188   1189   1190   1191   1192   1193   1194   1195   1196   1197